ExifTool vulnerable to arbitrary code execution
Published: January 20, 2023
SECURITY IDENTIFIERS
- GHSA: GHSA-q95h-cqrv-8jv5
- Vendor Advisory: https://github.com/exiftool-rb/exiftool_vendored.rb/security/advisories/GHSA-q95h-cqrv-8jv5
GEM
SEVERITY
CVSS v3.x: 7.8 (High)
PATCHED VERSIONS
>= 12.25.0
DESCRIPTION
Impact
Arbitrary code execution can occur when running exiftool against files with hostile metadata payloads
Patches
ExifTool has already been patched in version 12.24. exiftool_vendored.rb, which vendors ExifTool, includes this patch in v12.25.0.
Workarounds
No