Out-of-bounds write in exiv2
CVE-2023-44398

8.8HIGH

Key Information:

Vendor: Exiv2
Status: Exiv2
Vendor: CVE Published:; 6 November 2023

What is CVE-2023-44398?

Exiv2, a C++ library used for handling image metadata, contains a vulnerability that allows for out-of-bounds writes in version v0.28.0. This issue is triggered when the library reads the metadata from specially crafted image files. If exploited, it could let an attacker execute arbitrary code by tricking a victim into processing such a file with Exiv2. The vulnerability has been patched in version v0.28.1, and users are encouraged to update immediately, as there are no known workarounds available.

Affected Version(s)

exiv2 = 0.28.0

References

https://github.com/Exiv2/exiv2/security/advisories/GHSA-h...

x_refsource_CONFIRM

https://github.com/Exiv2/exiv2/commit/e884a0955359107f403...

x_refsource_MISC

https://security.gentoo.org/glsa/202312-06

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2023
Vulnerability Reserved
Sep 28, 2023