Cyber Resilience

CVE-2022-23935

HighPublic PoC

Published: 25 January 2022

Published
25 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2770 96.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23935 is a high-severity OS Command Injection (CWE-78) vulnerability in Exiftool Project Exiftool. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ExifTool before version 12.38 contains a command-injection vulnerability in lib/Image/ExifTool.pm. The code incorrectly evaluates a regular-expression check of the form $file =~ /\|$/, allowing an attacker-supplied filename or argument to bypass intended safeguards and reach an underlying system command execution path. The flaw is tracked as CWE-78 and carries a CVSS 3.1 base score of 7.8.

A local attacker can exploit the issue by causing a victim to invoke ExifTool against a specially crafted file or command-line argument. Successful exploitation grants arbitrary command execution with the privileges of the ExifTool process, resulting in full control over confidentiality, integrity, and availability of the affected system. User interaction is required, typically in the form of opening or processing the malicious input.

The official fix is contained in commit 74dbab1d2766d6422bb05b033ac6634bf8d1f582, which corrects the filename-handling logic. Administrators should upgrade to ExifTool 12.38 or later; no other work-arounds are documented in the available references.

The CVE’s EPSS score has reached a peak of 0.2775 and currently stands at 0.2770, indicating sustained public interest in exploitation techniques since disclosure.

EU & UK References

Vulnerability details

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exiftool project
exiftool
≤ 12.38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References