CVE-2021-43336

Vulnerability

An out-of-bounds write vulnerability exists in the Open Design Alliance (ODA) Drawings SDK prior to version 2022.11 when parsing DXF and DWG files. The flaw occurs during the parsing of crafted data containing an invalid number of properties, which triggers a write operation past the end of an allocated buffer. This issue affects the SDK directly and also impacts products that incorporate it, such as Siemens JT2Go [1][2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious DXF or DWG file. No authentication is required, but user interaction is necessary (e.g., opening the file or visiting a malicious page that triggers the file load). The crafted file contains an invalid number of properties, causing the SDK to write beyond the allocated buffer during parsing [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This can lead to full compromise of confidentiality, integrity, and availability. The CVSS v3.1 score is 7.8 (High), with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [2].

Mitigation

The vulnerability is fixed in ODA Drawings SDK version 2022.11. Users of the SDK should update to this version or later. For affected products like Siemens JT2Go, refer to the vendor's security advisory for specific patch information. No workarounds are documented, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].