Is CVE-2021-22205 a bug in ExifTool or is it limited to GitLab?
https://gitlab.com/gitlab-org/gitlab/-/issues/327121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205
https://hackerone.com/reports/1154542
The bug appears to be that GitLab pumps files through ExifTool to remove metadata from JPEG files.
However, if the file is a djvu, then it can run arbitrary code. (Let me know if I have that wrong.)
In https://gitlab.com/gitlab-org/gitlab/-/issues/327121, there is a quoted comment from Phil (2021-04-08?). If this is fixed, what version of ExifTool contains the fix?
Apr. 13, 2021 - Version 12.24 (https://exiftool.org/ancient_history.html#v12.24)
Thank you.
I'm surprised that isn't mentioned in the CVE.
(Glad to know my own use of ExifTool was patched months ago.)