Description
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
Remediation
References
https://github.com/drewnoakes/metadata-extractor/issues/561
Related Vulnerabilities
CVE-2021-32643 Vulnerability in maven package org.http4s:http4s-core
CVE-2020-15171 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on
CVE-2021-23383 Vulnerability in maven package org.webjars.npm:handlebars
CVE-2022-21186 Vulnerability in npm package @acrontum/filesystem-template