E21-c6ho1
CVSS:
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
3
Year:
2021
Description
This strike exploits an improper neutralization of directives in dynamically evaluated code ('eval injection') in ExifTool.
An remote unauthenticated attacker can supply a malicious crafted DjVu file to be processed via ExifTool. Successful exploitation may lead to execution of arbitrary code with the context of the user running the ExifTool.
Note: This strike exploits GitLab CE which runs the ExifTool internally. GitLab also identifies this same vulnerability with CVE-2021-22205.