CVE-2021-37622: 
NixOS vulnerability analysis and mitigation

Exiv2, a command-line utility and C++ library for reading, writing, deleting, and modifying image file metadata, was found to contain an infinite loop vulnerability (CVE-2021-37622) in versions v0.27.4 and earlier. The vulnerability was discovered in July 2021 and fixed in version v0.27.5 (GitHub Advisory).

The infinite loop vulnerability is triggered when Exiv2 is used to modify the metadata of a crafted image file. The issue occurs specifically in the JpegBase::printStructure function when deleting IPTC data. The vulnerability has a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and is classified as CWE-835 (Loop with Unreachable Exit Condition) (NVD).

An attacker could potentially exploit the vulnerability to cause a denial of service by causing the application to enter an infinite loop, if they can trick the victim into running Exiv2 on a crafted image file. The impact is limited to availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability was fixed in Exiv2 version v0.27.5. Users are recommended to upgrade to this version or later. Multiple Linux distributions have released security updates to address this vulnerability, including Debian (0.25-4+deb10u4), Ubuntu, and Fedora (Debian LTS, Fedora Update).