CVE-2021-43390

Vulnerability

An out-of-bounds write vulnerability exists in Open Design Alliance (ODA) Drawings SDK versions prior to 2022.11 [1]. The flaw resides in the DGN file parsing code, where crafted data in a DGN file can trigger a write operation past the end of an allocated buffer due to improper input validation [2][3][4]. Affected products include ODA Drawings Explorer, ODAViewer, and any application using the vulnerable SDK [2][3][4].

Exploitation

An attacker can exploit this vulnerability by enticing a user to open a specially crafted DGN file or visit a malicious page that triggers file parsing [2][3][4]. No authentication is required, but user interaction is necessary. The specific attack vector is local (CVSS vector AV:L) and requires no privileges [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process [2][3][4]. The scope of compromise is limited to the affected process, but due to the code execution capability, confidentiality, integrity, and availability are all at high risk (CVSS 7.8) [2].

Mitigation

Open Design Alliance released a fix in Drawings SDK version 2022.11 [1]. Users should update to this or a later version. No workarounds have been provided by the vendor. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.