CVE-2021-21235

Infinite loop in parsing PNG files in

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

kamadak-exif is an exif parsing library written in pure Rust. In kamadak-exif version 0.5.2, there is an infinite loop in parsing crafted PNG files. Specifically, reader::read_from_container can cause an infinite loop when a crafted PNG file is given. This is fixed in version 0.5.3. No workaround is available. Applications that do not pass files with the PNG signature to Reader::read_from_container are not affected.

kamadak-exif es una biblioteca de análisis exif escrita en Rust puro. En kamadak-exif versión 0.5.2, Se presenta un bucle infinito en el análisis de archivos PNG diseñados. Específicamente, la función reader::read_from_container puede causar un bucle infinito cuando se le proporciona un archivo PNG diseñado. Esto es corregido en la versión 0.5.3. Ninguna solución alternativa está disponible. Las aplicaciones que no aprueban archivos con la firma PNG a la función Reader::read_from_container no están afectadas

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-01-06 CVE Published
2023-09-21 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (3)

URL	Tag	Source
https://crates.io/crates/kamadak-exif	Product
https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/kamadak/exif-rs/commit/f21df24616ea611c5d5d0e0e2f8042eb74d5ff48	2022-10-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kamadak-exif Project Search vendor "Kamadak-exif Project"		Kamadak-exif Search vendor "Kamadak-exif Project" for product "Kamadak-exif"				0.5.2 Search vendor "Kamadak-exif Project" for product "Kamadak-exif" and version "0.5.2"		rust		Affected