CVE-2022-24614 - OpenCVE

When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metadata-extractor Project	Metadata-extractor
Redhat	Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:metadata-extractor_project:metadata-extractor:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Fuse 7.11
metadata-extractor	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z

References

Link	Providers
https://github.com/drewnoakes/metadata-extractor/issues/561
https://nvd.nist.gov/vuln/detail/CVE-2022-24614
https://www.cve.org/CVERecord?id=CVE-2022-24614

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-24T13:11:54

Updated: 2024-08-03T04:13:56.973Z

Reserved: 2022-02-07T00:00:00

Link: CVE-2022-24614

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-24T15:15:29.750

Modified: 2022-03-02T18:29:28.907

Link: CVE-2022-24614

Redhat

Severity : Low

Publid Date: 2022-02-24T00:00:00Z

Links: CVE-2022-24614 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-24T13:11:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-24614", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/drewnoakes/metadata-extractor/issues/561", "refsource": "MISC", "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:13:56.973Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-24614", "datePublished": "2022-02-24T13:11:54", "dateReserved": "2022-02-07T00:00:00", "dateUpdated": "2024-08-03T04:13:56.973Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metadata-extractor_project:metadata-extractor:*:*:*:*:*:*:*:*", "matchCriteriaId": "61E89144-6999-46A1-B104-A545FBFF049B", "versionEndExcluding": "2.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."}, {"lang": "es", "value": "Cuando es le\u00eddo un archivo JPEG especialmente dise\u00f1ado, metadata-extractor versiones hasta 2.16.0, puede hacer que asigne grandes cantidades de memoria que finalmente conllevan a un error de falta de memoria incluso para entradas muy peque\u00f1as. Esto podr\u00eda ser usado para montar un ataque de denegaci\u00f3n de servicio contra servicios que usan la biblioteca metadata-extractor"}], "id": "CVE-2022-24614", "lastModified": "2022-03-02T18:29:28.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T15:15:29.750", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/drewnoakes/metadata-extractor/issues/561"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "metadata-extractor", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}], "bugzilla": {"description": "metadata-extractor: Out-of-memory when reading a specially crafted JPEG file", "id": "2058763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2058763"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library."], "name": "CVE-2022-24614", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "metadata-extractor", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "metadata-extractor", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "metadata-extractor", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2022-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24614\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24614"], "threat_severity": "Low"}