CVE-2021-32948

Vulnerability

CVE-2021-32948 is an out-of-bounds write vulnerability in the DWG file-reading procedure of Open Design Alliance Drawings SDK, affecting all versions prior to 2022.4 [1]. The issue stems from improper validation of user-supplied data when parsing DWG files, allowing a write past the end of an allocated buffer [1][2].

Exploitation

To exploit this vulnerability, an attacker must convince a user to open a maliciously crafted DWG file using an application that relies on the affected Drawings SDK, such as Siemens JT2Go [2]. No authentication is required, but user interaction is necessary in the form of opening the file or visiting a malicious page that triggers the file parse [2].

Impact

Successful exploitation can result in code execution in the context of the current process, or cause a denial-of-service condition [1][2]. The CVSS v3 base score is 7.8 with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [2].

Mitigation

The fix is included in Open Design Alliance Drawings SDK version 2022.4, released in June 2021 [1]. Users should update to version 2022.4 or later. As of the publication date, no workaround is documented; upgrading is the recommended mitigation [1].