CVE-2022-23095

Vulnerability

Open Design Alliance Drawings SDK versions before 2022.12.1 contain a memory corruption vulnerability in the handling of JPG files during the loading process. The software fails to validate input data from a crafted JPG file, which can lead to memory corruption. The affected product is ODA Drawings SDK.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted JPG file to an application using the affected SDK. No authentication or special network position is required if the application loads user-supplied files. The attack vector is local or remote depending on how the application receives the file (e.g., via download or email). The user must open the malicious file using an application built with the vulnerable SDK.

Impact

Successful exploitation can lead to memory corruption, which may allow the attacker to execute arbitrary code in the context of the current process. This could result in full compromise of the affected application and potentially the underlying system, depending on the process privileges.

Mitigation

Open Design Alliance Drawings SDK version 2022.12.1 and later contain the fix for this vulnerability [1]. Users should update to this version or later. No workarounds are provided by the vendor. The vulnerability is not currently listed on the CISA KEV.