CVE-2021-22205?

Started by Neal Krawetz, November 21, 2021, 06:51:19 PM

Previous topic - Next topic

Neal Krawetz

Is CVE-2021-22205 a bug in ExifTool or is it limited to GitLab?

https://gitlab.com/gitlab-org/gitlab/-/issues/327121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205
https://hackerone.com/reports/1154542

Neal Krawetz

The bug appears to be that GitLab pumps files through ExifTool to remove metadata from JPEG files.
However, if the file is a djvu, then it can run arbitrary code.  (Let me know if I have that wrong.)

In https://gitlab.com/gitlab-org/gitlab/-/issues/327121, there is a quoted comment from Phil (2021-04-08?).  If this is fixed, what version of ExifTool contains the fix?

StarGeek

* Did you read FAQ #3 and use the command listed there?
* Please use the Code button for exiftool code/output.
 
* Please include your OS, Exiftool version, and type of file you're processing (MP4, JPG, etc).

Neal Krawetz

Thank you.

I'm surprised that isn't mentioned in the CVE.
(Glad to know my own use of ExifTool was patched months ago.)