Exiftool on macOS allows attackers to run malicious commands

Summary

A security issue in exiftool on macOS allows attackers to execute system commands by manipulating certain file data. This could potentially be exploited remotely. Upgrading to version 13.50 is recommended to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
exiftool_project	exiftool	<= 13.50	–

Original title

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipula...

Original description

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

nvd CVSS2.0 7.5

nvd CVSS3.1 8.8

nvd CVSS4.0 5.3

Vulnerability type

CWE-77 Command Injection

CWE-78 OS Command Injection

https://github.com/exiftool/exiftool/ Product
https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd... Patch
https://github.com/exiftool/exiftool/releases/tag/13.50 Release Notes
https://vuldb.com/?ctiid.347528 Permissions Required
https://vuldb.com/?id.347528 Third Party Advisory VDB Entry
https://vuldb.com/?submit.758146 Exploit Third Party Advisory VDB Entry
https://www.youtube.com/watch?v=akk0vmilfb4 Exploit