CVE-2021-29457

Name of the Vulnerable Software and Affected Versions Exiv2 versions v0.27.3 and earlier

Description A heap buffer overflow was found in Exiv2 when used to write metadata into a crafted image file. This could potentially allow an attacker to gain code execution if they can trick the victim into running Exiv2 on a crafted image file. The issue is triggered by writing metadata, a less frequently used operation than reading metadata. For example, adding an extra command-line argument such as insert can trigger the bug in the Exiv2 command-line application. The vulnerability may also allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted image file.

Recommendations For Exiv2 versions v0.27.3 and earlier, update to version v0.27.4 to fix the heap buffer overflow issue. As a temporary workaround, consider avoiding the use of the insert command-line argument or any other operation that triggers the writing of metadata until the update is applied. Restrict the use of Exiv2 for writing metadata to minimize the risk of exploitation.