CVE-2024-24826: 
Python vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2024-24826) was discovered in Exiv2, a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The vulnerability was identified in version v0.28.1, specifically in the QuickTimeVideo::NikonTagsDecoder function that was introduced in v0.28.0. Notably, versions of Exiv2 prior to v0.28.0 are not affected by this vulnerability (GitHub Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) in the QuickTimeVideo::NikonTagsDecoder function. The issue has been assigned a CVSS v3.1 base score of 5.0 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H by NVD, while GitHub assigned a slightly higher score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, the vulnerability is triggered when Exiv2 is used to read the metadata of a crafted video file. In most cases, this out-of-bounds read results in a crash of the application (GitHub Advisory).

The vulnerability has been fixed in Exiv2 version v0.28.2. Users are advised to upgrade to this version as there are no known workarounds for this vulnerability (GitHub Advisory).