CVE-2022-28807

Vulnerability

The vulnerability resides in the Open Design Alliance Drawings SDK, affecting all versions prior to 2023.2. An out-of-bounds read occurs when rendering a specially crafted DWG file that is opened in recovery mode. The flaw exists in the code path responsible for reading specific malformed or unexpected data during the recovery parsing process. [1]

Exploitation

To exploit this vulnerability, an attacker needs to convince a user or a process using the affected SDK to open a malicious DWG file in recovery mode. The attacker does not require authentication or special network position; the attack vector is local or via file delivery (e.g., email, download). When the SDK attempts to render the crafted file during recovery, the out-of-bounds read is triggered, potentially leading to a crash or further exploitation. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process. This could result in full compromise of the affected application, including data exfiltration, installation of malware, or unauthorized system access, depending on the privileges of the hosting process. [1]

Mitigation

The vulnerability is fixed in ODA Drawings SDK version 2023.2 and later. Users should upgrade to the latest version. No workarounds are documented; the only mitigation is to avoid opening untrusted DWG files in recovery mode with unpatched SDK versions. [1]