CVE-2021-22205?

Started by Neal Krawetz, November 21, 2021, 06:51:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Neal Krawetz

November 21, 2021, 06:51:19 PM
Is CVE-2021-22205 a bug in ExifTool or is it limited to GitLab?

https://gitlab.com/gitlab-org/gitlab/-/issues/327121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205
https://hackerone.com/reports/1154542

Neal Krawetz

#1
November 21, 2021, 06:54:39 PM
The bug appears to be that GitLab pumps files through ExifTool to remove metadata from JPEG files.
However, if the file is a djvu, then it can run arbitrary code.  (Let me know if I have that wrong.)

In https://gitlab.com/gitlab-org/gitlab/-/issues/327121, there is a quoted comment from Phil (2021-04-08?).  If this is fixed, what version of ExifTool contains the fix?

StarGeek

#2
November 21, 2021, 09:33:05 PM
"It didn't work" isn't helpful. What was the exact command used and the output.
Read FAQ #3 and use that cmd
Please use the Code button for exiftool output

Please include your OS/Exiftool version/filetype

Neal Krawetz

#3
November 21, 2021, 11:28:03 PM
Thank you.

I'm surprised that isn't mentioned in the CVE.
(Glad to know my own use of ExifTool was patched months ago.)
Print
Go Up Pages1
User actions