CVE-2021-43278

Vulnerability

The Open Design Alliance Drawings SDK before version 2022.11 contains an out-of-bounds read vulnerability in its OBJ file reading procedure [1]. The software fails to validate the input length, which can trigger a read past the end of an allocated buffer when parsing a specially crafted OBJ file. Affected versions: all versions before 2022.11 [1].

Exploitation

An attacker must provide a malicious OBJ file to a target application that uses the vulnerable SDK. No special network position is required beyond the ability to deliver the file (e.g., via email, download, or file sharing). The user must open the malicious OBJ file in an application built with the affected SDK. The lack of input length validation allows the attacker to trigger the out-of-bounds read with no additional privileges or user interaction beyond opening the file [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current process. The out-of-bounds read can be leveraged to achieve code execution, potentially leading to full compromise of the affected application and the user's system [1].

Mitigation

A fix was released in ODA Drawings SDK version 2022.11. Users should upgrade to version 2022.11 or later. No workarounds are described in the available references. The vendor’s security advisory page should be monitored for updates [1].

Not yet disclosed in the available references.