CVE-2021-31489

Vulnerability

An out-of-bounds write vulnerability exists in the DWF file parsing component of OpenText Brava! Desktop version 16.6.3.84 [1]. The flaw arises because the software does not properly validate user-supplied data when parsing DWF files, leading to a write past the end of an allocated buffer. An attacker can trigger this condition by convincing a user to open a malicious DWF file or visit a malicious webpage that loads the vulnerable component.

Exploitation

Exploitation requires user interaction: the target must open a crafted DWF file or navigate to a malicious page [1]. The attacker does not need prior authentication or any special network position—the attack can be delivered remotely, for example via email or a compromised website. Once the user performs the action, the vulnerable parsing routine writes data beyond the bounds of a heap buffer, providing the attacker with a memory corruption primitive.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [1]. Depending on the privileges of the user running Brava! Desktop, this could result in full compromise of the affected system, including disclosure of sensitive data, modification of files, and denial of service. The CVSS v3.1 score for this issue is 7.8 (High) with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1].

Mitigation

OpenText has not released a patch at the time of the advisory publication on June 2, 2021 [1]. The vendor was notified via the ZDI program (ZDI-CAN-12717) [1]. No workarounds are described in the available references. Users should monitor OpenText for a security update. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date.