When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image and video files.
Library home page: https://drewnoakes.com/code/exif/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-24614
### Vulnerable Library - metadata-extractor-2.13.0.jarJava library for extracting EXIF, IPTC, XMP, ICC and other metadata from image and video files.
Library home page: https://drewnoakes.com/code/exif/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **metadata-extractor-2.13.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsWhen reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Publish Date: 2022-02-24
URL: CVE-2022-24614
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-02-24
Fix Resolution: 2.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-24613
### Vulnerable Library - metadata-extractor-2.13.0.jarJava library for extracting EXIF, IPTC, XMP, ICC and other metadata from image and video files.
Library home page: https://drewnoakes.com/code/exif/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **metadata-extractor-2.13.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsmetadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Publish Date: 2022-02-24
URL: CVE-2022-24613
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-02-24
Fix Resolution: 2.16.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.