Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-29623

Published: 13 May 2021

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file. The bug is fixed in version v0.27.4.

Priority

Low

Cvss 3 Severity Score

3.3

Score breakdown

Status

Package Release Status
exiv2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
groovy
Released (0.27.3-3ubuntu0.4)
hirsute
Released (0.27.3-3ubuntu1.3)
trusty Does not exist

upstream
Released (v0.27.4)
xenial Not vulnerable
(code not present)
impish
Released (0.27.3-3ubuntu3)
focal
Released (0.27.2-8ubuntu2.4)
jammy
Released (0.27.3-3ubuntu3)
Patches:
upstream: https://github.com/Exiv2/exiv2/pull/1627/commits/82e46b5524fb904e6660dadd2c6d8e5e47375a1a

Severity score breakdown

Parameter Value
Base score 3.3
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N