Cyber Resilience

CVE-2021-22204

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 23 April 2021

Published
23 April 2021
Modified
03 November 2025
KEV Added
17 November 2021
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.9278 99.8th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22204 is a medium-severity Code Injection (CWE-94) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2021-22204 is an improper neutralization vulnerability (CWE-94) in ExifTool versions 7.44 and later. It occurs during parsing of the DjVu image file format and permits arbitrary code execution when a malicious image is processed. The issue carries a CVSS 3.1 base score of 6.8 reflecting local attack vector, low attack complexity, no required privileges or user interaction, and changed scope with limited impacts to confidentiality, integrity, and availability.

An attacker can supply a crafted DjVu file that ExifTool will parse, resulting in code execution within the context of the ExifTool process. Public exploit code demonstrates that the flaw can be reached remotely when ExifTool is invoked by other applications on untrusted images, such as GitLab's handling of uploaded attachments, enabling unauthenticated remote code execution on affected servers.

Public exploit modules and proof-of-concept reports have been published for both standalone ExifTool and integrated products such as GitLab, confirming active interest and successful in-the-wild use shortly after disclosure. No official patch or mitigation details are contained in the supplied references.

EU & UK References

Vulnerability details

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CWE(s)
KEV Date Added
17 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exiftool project
exiftool
7.44 — 12.24
debian
debian linux
10.0, 9.0
fedoraproject
fedora
32, 33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted data in DjVu files before ExifTool parsing, blocking the CWE-94 injection that leads to code execution.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the arbitrary code payloads delivered via crafted DjVu images processed by ExifTool.

prevent

Restricts ExifTool to minimal required functionality and disables unnecessary parsers or execution capabilities that would otherwise allow the DjVu flaw to be exploited.

References