CVE-2021-43274

Vulnerability

A use-after-free vulnerability exists in the Open Design Alliance Drawings SDK prior to version 2022.11. The flaw resides in the parsing of DWF files, where the code fails to validate the existence of an object before performing operations on it. This can lead to accessing freed memory. All versions before 2022.11 are affected [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted DWF file to an application using the affected SDK. No authentication is required, as the attack vector is through file parsing. The attacker must convince a user to open the malicious file or trigger parsing via other means. The lack of object validation allows the attacker to trigger a use-after-free condition, which can be leveraged in conjunction with other vulnerabilities to achieve code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This can lead to full compromise of the application and potentially the underlying system, depending on the privileges of the process. The impact includes confidentiality, integrity, and availability loss [1].

Mitigation

The vulnerability is fixed in version 2022.11 of the ODA Drawings SDK. Users should upgrade to this version or later. No workarounds are documented. The vendor, Open Design Alliance, has released security advisories detailing the fix [1].