CVE-2021-43272

Vulnerability

CVE-2021-43272 is an improper handling of exceptional conditions vulnerability in the Open Design Alliance (ODA) ODA Viewer sample before version 2022.11. The software continues to process invalid or malicious DWF files instead of stopping upon an exception. The specific flaw resides in the parsing of DWF files due to a lack of proper validation of user-supplied data length before copying it to a stack-based buffer [2][3][4]. Any version of ODA Viewer prior to the 2022.11 release is affected.

Exploitation

Exploitation requires user interaction: the target must open a malicious DWF file or visit a page that delivers such a file [2][3][4]. An attacker can craft a DWF file with an overly long data field that, when parsed by the vulnerable ODA Viewer, triggers a stack-based buffer overflow. No special authentication or network position is needed beyond the ability to deliver the file to the victim.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. Given the CVSS score of 7.8 (High), the impact on confidentiality, integrity, and availability is also High, meaning the attacker can read, modify, or delete data, and potentially cause a denial of service or further compromise [2].

Mitigation

The fixed version is ODA Viewer 2022.11, released by Open Design Alliance. Users should upgrade to this or later versions. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2][3][4].