CVE-2021-44044

Vulnerability

An out-of-bounds write vulnerability exists in the Open Design Alliance Drawings SDK when reading JPG files. The issue affects all versions before 2022.11. Specifically, a crafted JPG file containing 4 extraneous bytes before the marker 0xca can trigger a write operation past the end of an allocated buffer during parsing.

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted JPG file to a user or application that uses the vulnerable SDK. No authentication is required; the attacker only needs to deliver the file (e.g., via email, web download, or file upload). The user must open the file with an application using the vulnerable SDK. No special privileges are needed beyond the ability to provide the malicious file.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the current process. This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement.

Mitigation

The vulnerability is fixed in ODA Drawings SDK version 2022.11. Users should update to this version or later. No workarounds are mentioned in the available references [1].