CVE-2021-43391

Vulnerability

An out-of-bounds read vulnerability exists in Open Design Alliance (ODA) Drawings SDK versions prior to 2022.11. The flaw resides in the parsing of DXF files, specifically when handling an invalid dash counter in line types. This can cause a read past the end of an allocated buffer. Affected products include ODA Drawings Explorer and ODAViewer [2][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious DXF file containing an invalid dash counter. User interaction is required: the target must open the malicious file using an affected application such as ODA Drawings Explorer or ODAViewer [2][3]. No authentication or special network position is needed beyond delivering the file to the user.

Impact

Successful exploitation can lead to information disclosure (as per ZDI-21-1352 [2]) or, when combined with other vulnerabilities, arbitrary code execution in the context of the current process (as per ZDI-21-1361 [3]). The CVSS score for the RCE variant is 7.8 (High) [3].

Mitigation

The vulnerability is fixed in ODA Drawings SDK version 2022.11. Users should update to this version or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.