An update for metadata-extractor2 is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1023 Final 1.0 1.0 2024-01-05 Initial 2024-01-05 2024-01-05 openEuler SA Tool V1.0 2024-01-05 metadata-extractor2 security update An update for metadata-extractor2 is now available for openEuler-22.03-LTS. Metadata Extractor is a straightforward Java library for reading metadata from image files. Security Fix(es): metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24613) When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.(CVE-2022-24614) An update for metadata-extractor2 is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium metadata-extractor2 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1023 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24613 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24614 https://nvd.nist.gov/vuln/detail/CVE-2022-24613 https://nvd.nist.gov/vuln/detail/CVE-2022-24614 openEuler-22.03-LTS metadata-extractor2-2.18.0-1.oe2203.noarch.rpm metadata-extractor2-javadoc-2.18.0-1.oe2203.noarch.rpm metadata-extractor2-2.18.0-1.oe2203.src.rpm metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library. 2024-01-05 CVE-2022-24613 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H metadata-extractor2 security update 2024-01-05 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1023 When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. 2024-01-05 CVE-2022-24614 openEuler-22.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H metadata-extractor2 security update 2024-01-05 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1023