CVE-2020-18771: 
Python vulnerability analysis and mitigation

Exiv2 0.27.99.0 has a global buffer over-read vulnerability in Exiv2::Internal::Nikon1MakerNote::print0x0088 function located in nikonmn_int.cpp. The vulnerability was discovered in March 2019 and was assigned CVE-2020-18771. This security flaw affects the Exiv2 image metadata library, which is used for parsing, editing, and saving Exif and IPTC metadata from images (GitHub Issue).

The vulnerability is a global buffer over-read issue that occurs in the Nikon1MakerNote::print0x0088 function within nikonmn_int.cpp. When processing certain image files, the function attempts to read beyond the bounds of a global buffer, which can lead to information disclosure. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H (NVD).

The exploitation of this vulnerability can result in information leakage through the exposure of sensitive data from memory locations beyond the intended buffer boundaries. The high CVSS score indicates significant potential impact on both confidentiality and availability of the affected system (NVD).

The vulnerability has been addressed in subsequent versions of Exiv2. Users are recommended to upgrade to version 0.28.1 or later. For Debian 10 (buster) users, the fix is available in version 0.25-4+deb10u4 (Debian Advisory, Gentoo Advisory).