CVE-2022-23935
Published: 25 January 2022
Summary
CVE-2022-23935 is a high-severity OS Command Injection (CWE-78) vulnerability in Exiftool Project Exiftool. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ExifTool before version 12.38 contains a command-injection vulnerability in lib/Image/ExifTool.pm. The code incorrectly evaluates a regular-expression check of the form $file =~ /\|$/, allowing an attacker-supplied filename or argument to bypass intended safeguards and reach an underlying system command execution path. The flaw is tracked as CWE-78 and carries a CVSS 3.1 base score of 7.8.
A local attacker can exploit the issue by causing a victim to invoke ExifTool against a specially crafted file or command-line argument. Successful exploitation grants arbitrary command execution with the privileges of the ExifTool process, resulting in full control over confidentiality, integrity, and availability of the affected system. User interaction is required, typically in the form of opening or processing the malicious input.
The official fix is contained in commit 74dbab1d2766d6422bb05b033ac6634bf8d1f582, which corrects the filename-handling logic. Administrators should upgrade to ExifTool 12.38 or later; no other work-arounds are documented in the available references.
The CVE’s EPSS score has reached a peak of 0.2775 and currently stands at 0.2770, indicating sustained public interest in exploitation techniques since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28854
Vulnerability details
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.