CVE-2021-32940

Vulnerability

The vulnerability is an out-of-bounds read in the DWG file-recovering procedure of Open Design Alliance Drawings SDK, all versions prior to 2022.5 [1]. The issue stems from insufficient validation of user-supplied data during parsing, leading to a read past the end of an allocated buffer [1][2].

Exploitation

An attacker can exploit this by convincing a user to open a specially crafted DWG file (e.g., via email or web link) [2]. No authentication is required, but user interaction is necessary [1][2]. The attack vector is local, with low complexity [1].

Impact

Successful exploitation can cause a denial-of-service condition or allow the attacker to read sensitive information from memory [1][2]. The CVSS v3 base score is 4.4 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) per CISA [1], or 3.3 per ZDI [2]. The read is limited to out-of-bounds memory, potentially leaking data.

Mitigation

Open Design Alliance released Drawings SDK version 2022.5 to address this vulnerability [1]. Users should update to the latest version. For Siemens JT2Go, apply vendor updates as recommended [2]. No workarounds are documented; the fix is to upgrade.