CVE-2022-24614 - Vulnerability Details - OpenCVE

When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00278.

Key SSVC decision points have not yet been added.

Vendors	Products
Metadata-extractor Project	Metadata-extractor
Redhat	Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:metadata-extractor_project:metadata-extractor:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Fuse 7.11
metadata-extractor	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-0819	When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Github GHSA	GHSA-4v6p-cxf9-98rf	Allocation of Resources Without Limits or Throttling in metadata-extractor

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/drewnoakes/metadata-extractor/issues/561
https://nvd.nist.gov/vuln/detail/CVE-2022-24614
https://www.cve.org/CVERecord?id=CVE-2022-24614

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00056}`	epss `{'score': 0.00052}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-24T13:11:54

Updated: 2024-08-03T04:13:56.973Z

Reserved: 2022-02-07T00:00:00

Link: CVE-2022-24614

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-24T15:15:29.750

Modified: 2025-09-12T19:46:21.530

Link: CVE-2022-24614

Redhat

Severity : Low

Publid Date: 2022-02-24T00:00:00Z

Links: CVE-2022-24614 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-24T13:11:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-24614", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/drewnoakes/metadata-extractor/issues/561", "refsource": "MISC", "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:13:56.973Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-24614", "datePublished": "2022-02-24T13:11:54", "dateReserved": "2022-02-07T00:00:00", "dateUpdated": "2024-08-03T04:13:56.973Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metadata-extractor_project:metadata-extractor:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4F6453F-1610-447D-BCA4-188E9FCAD6BE", "versionEndExcluding": "2.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}, {"lang": "es", "value": "Cuando es le\u00eddo un archivo JPEG especialmente dise\u00f1ado, metadata-extractor versiones hasta 2.16.0, puede hacer que asigne grandes cantidades de memoria que finalmente conllevan a un error de falta de memoria incluso para entradas muy peque\u00f1as. Esto podr\u00eda ser usado para montar un ataque de denegaci\u00f3n de servicio contra servicios que usan la biblioteca metadata-extractor"}], "id": "CVE-2022-24614", "lastModified": "2025-09-12T19:46:21.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T15:15:29.750", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "metadata-extractor", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}], "bugzilla": {"description": "metadata-extractor: Out-of-memory when reading a specially crafted JPEG file", "id": "2058763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2058763"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."], "name": "CVE-2022-24614", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "metadata-extractor", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Fix deferred", "package_name": "metadata-extractor", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2022-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24614\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24614"], "threat_severity": "Low"}