CVE-2021-22204
Published: 23 April 2021
Summary
CVE-2021-22204 is a medium-severity Code Injection (CWE-94) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2021-22204 is an improper neutralization vulnerability (CWE-94) in ExifTool versions 7.44 and later. It occurs during parsing of the DjVu image file format and permits arbitrary code execution when a malicious image is processed. The issue carries a CVSS 3.1 base score of 6.8 reflecting local attack vector, low attack complexity, no required privileges or user interaction, and changed scope with limited impacts to confidentiality, integrity, and availability.
An attacker can supply a crafted DjVu file that ExifTool will parse, resulting in code execution within the context of the ExifTool process. Public exploit code demonstrates that the flaw can be reached remotely when ExifTool is invoked by other applications on untrusted images, such as GitLab's handling of uploaded attachments, enabling unauthenticated remote code execution on affected servers.
Public exploit modules and proof-of-concept reports have been published for both standalone ExifTool and integrated products such as GitLab, confirming active interest and successful in-the-wild use shortly after disclosure. No official patch or mitigation details are contained in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9350
Vulnerability details
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
- CWE(s)
- KEV Date Added
- 17 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted data in DjVu files before ExifTool parsing, blocking the CWE-94 injection that leads to code execution.
Deploys malicious-code detection mechanisms that can identify and block the arbitrary code payloads delivered via crafted DjVu images processed by ExifTool.
Restricts ExifTool to minimal required functionality and disables unnecessary parsers or execution capabilities that would otherwise allow the DjVu flaw to be exploited.