Skip to content

Allocation of Resources Without Limits or Throttling in metadata-extractor

Moderate severity GitHub Reviewed Published Feb 25, 2022 to the GitHub Advisory Database • Updated Aug 26, 2024

Package

maven com.drewnoakes:metadata-extractor (Maven)

Affected versions

< 2.18.0

Patched versions

2.18.0

Description

When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.

References

Published by the National Vulnerability Database Feb 24, 2022
Published to the GitHub Advisory Database Feb 25, 2022
Reviewed Mar 7, 2022
Last updated Aug 26, 2024

Severity

Moderate

EPSS score

0.056%
(25th percentile)

Weaknesses

CVE ID

CVE-2022-24614

GHSA ID

GHSA-4v6p-cxf9-98rf

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.