ODA Security Advisories

Fixed in

• 25.10

  • CVE-2024-8894

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Drawings SDK - All Versions < 2025.10

    CVE-2024-8894

    Out-of-bounds Write vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

    Out-of-bounds Write

    To exploit vulnerability, malicious DWF file should be read by ODA Drawings SDK

    Vladislav Berghici
• 25.3

  • CVE-2024-12564

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    CDE inWEB SDK - All Versions < 2025.3

    CVE-2024-12564

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation.

    CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

    To exploit vulnerability, go to prometheus metrics page.

    dhiyaneshDK, philippedelteil
• 24.12

  • CVE-2023-5180

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Drawings SDK - All Versions < 2024.12

    CVE-2023-5180

    An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

    Out-of-bounds Write

    To exploit vulnerability, malicious DGN file should be read by ODA Drawings SDK

    Seyit Sığırcı
• 24.10

  • CVE-2023-5179

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Drawings SDK - All Versions < 2024.10

    CVE-2023-5179

    An issue was discovered in Open Design Alliance Drawings SDK before 2024.10. A corrupted value for the start of MiniFat sector in a crafted DGN file leads to an out-of-bounds read. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

    Out-of-bounds Read

    To exploit vulnerability, malicious DGN file should be read by ODA Drawings SDK

    Seyit Sığırcı
• 24.1

  • CVE-2023-26495

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2024.1

    CVE-2023-26495

    An issue was discovered in Open Design Alliance Drawings SDK before 2024.1. A crafted DWG file can force the SDK to reuse an object that has been freed. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code.

    Use After Free

    To exploit vulnerability malicious DWG file should be read using ODA Drawings SDK

    Mat Powell & Jimmy Calderon (@vectors2final) of Trend Micro Zero Day Initiative
• 23.6

  • CVE-2023-22670

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2023.6

    CVE-2023-22670

    A heap-based buffer overflow exists in the DXF file reading procedure in Open Design Alliance Drawings SDK before 2023.6. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Buffer Overflow

    To exploit vulnerability malicious DXF file should be read using ODA Drawings SDK

    Mat Powell & Jimmy Calderon (@vectors2final) of Trend Micro Zero Day Initiative
  • CVE-2023-22669

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2023.6

    CVE-2023-22669

    Parsing of DWG files in Open Design Alliance Drawings SDK before 2023.6 lacks proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Buffer Overflow

    To exploit vulnerability malicious DWG file should be read using ODA Drawings SDK

    Mat Powell & Jimmy Calderon (@vectors2final) of Trend Micro Zero Day Initiative
• 23.3

  • CVE-2022-28809

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2023.3

    CVE-2022-28809

    An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading a DWG file with invalid vertex number in a recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious DWG file should be opened in a recovery mode using ODA Drawings SDK.

    Yonghui Han of Fortinet's FortiGuard Labs
  • CVE-2022-28808

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2023.3

    CVE-2022-28808

    An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading DWG files in a recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious DWG file should be opened via recover using ODA Drawings SDK.

    Yonghui Han of Fortinet's FortiGuard Labs
• 23.2

  • CVE-2022-28807

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2023.2

    CVE-2022-28807

    An issue was discovered in Open Design Alliance Drawings SDK before 2023.2. An Out-of-Bounds Read vulnerability exists when rendering a .dwg file after it's opened in the recovery mode. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious DWG file should be rendered after recovering using ODA Drawings SDK.

    Han of Fortinet's FortiGuard Labs
• 22.12.1

  • CVE-2022-23095

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.12.1

    CVE-2022-23095

    Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Improper Input Validation

    To exploit vulnerability malicious JPG file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
• 22.12

  • CVE-2021-44860

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.12

    CVE-2021-44860

    An out-of-bounds read vulnerability exists when reading a TIF file using Open Design Alliance Drawings SDK before 2022.12. The specific issue exists after loading TIF files. An unchecked input data from a crafted TIF file leads to an out-of-bounds read. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious TIF file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-44859

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.12

    CVE-2021-44859

    An out-of-bounds read vulnerability exists when reading a TGA file using Open Design Alliance Drawings SDK before 2022.12. The specific issue exists after loading TGA files. An unchecked input data from a crafted TGA file leads to an out-of-bounds read. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious TGA file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-44423

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Drawings Explorer - All Versions < 2022.12

    CVE-2021-44423

    An out-of-bounds read vulnerability exists when reading a BMP file using Open Design Alliance (ODA) Drawings Explorer before 2022.12. The specific issue exists after loading BMP files. Unchecked input data from a crafted BMP file leads to an out-of-bounds read. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious BMP file should be opened in ODA Drawings Explorer.

    Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative
  • CVE-2021-44422

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.12

    CVE-2021-44422

    An Improper Input Validation Vulnerability exists when reading a BMP file using Open Design Alliance Drawings SDK before 2022.12. Crafted data in a BMP file can trigger a write operation past the end of an allocated buffer, or lead to a heap-based buffer overflow. An> attacker can leverage this vulnerability to execute code in the context of the current process.

    Improper Input Validation

    To exploit vulnerability malicious BMP file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
• 22.11

  • CVE-2021-44048

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Drawings Explorer - All Versions < 2022.11

    CVE-2021-44048

    An out-of-bounds write vulnerability exists when reading a TIF file using ODA Drawings Explorer before 2022.11. The specific issue exists after loading TIF files. Crafted data in a TIF file can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious TIF file should be opened in ODA Drawings Explorer.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-44047

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-44047

    A use-after-free vulnerability exists when reading a DWF/DWFX file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing DWF/DWFX files. Crafted data in a DWF/DWFX file and lack of proper validation of input data can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Use-After-Free

    To exploit vulnerability malicious DWF/DWFX file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-44046

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA PRC SDK - All Versions < 2022.11

    CVE-2021-44046

    An out-of-bounds write vulnerability exists when reading U3D files in Open Design Alliance PRC SDK before 2022.11. An unchecked return value of a function (verifying input data from a U3D file) leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious U3D file should be converted to a PRC file using ODA PRC SDK.

    Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day Initiative
  • CVE-2021-44045

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-44045

    An out-of-bounds write vulnerability exists when reading a DGN file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DGN files. Crafted data in a DGN file and lack of proper validation for the XFAT sectors count can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious DGN file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-44044

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-44044

    An out-of-bounds write vulnerability exists when reading a JPG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing JPG files. Crafted data in a JPG (4 extraneous bytes before the marker 0xca) can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious JPG file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43582

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43582

    A Use-After-Free Remote Vulnerability exists when reading a DWG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Use-After-Free

    To exploit vulnerability malicious DWG file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43581

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA PRC SDK - All Versions < 2022.11

    CVE-2021-43581

    An Out-of-Bounds Read vulnerability exists when reading a U3D file using Open Design Alliance PRC SDK before 2022.11. The specific issue exists within the parsing of U3D files. Incorrect use of the LibJpeg source manager inside the U3D library, and crafted data in a U3D file, can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-Bounds Read

    To exploit vulnerability malicious U3D file should be converted into .prc file using ODA PRC SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43390

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43390

    Out-of-Bounds Write vulnerability exists when reading a DGN file using Open Design Alliance Drawings SDK versions prior to 2022.11. The specific issue exists within the parsing of DGN files. Crafted data in a DGN file and lack of proper validation of input data can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-Bounds Write

    To exploit vulnerability, malicious DGN file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43336

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43336

    Out-of-Bounds Write vulnerability exists when reading a DXF file using Open Design Alliance Drawings SDK versions prior to 2022.11. The specific issue exists within the parsing of DXF files. Crafted data in a DXF file (invalid number of properties) can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability, malicious DXF file should be read using ODA Drawings SDK.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43278

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43278

    Out-of-bounds Read vulnerability exists in Open Design Alliance Drawings SDK before 2022.11. The specific flaw exists within the parsing of OBJ files. The lack of validating of the input length can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious OBJ file should be read using ODA Drawings SDK

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43274

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43274

    Use After Free Vulnerability exists in in Open Design Alliance Drawings SDK before 2022.11. The specific flaw exists within the parsing of DWF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

    Use After Free

    To exploit vulnerability malicious DWF file should be read by ODA Drawings SDK

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43273

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.11

    CVE-2021-43273

    Out-of-bounds Read vulnerability exists in the DGN file reading procedure in Open Design Alliance Drawings SDK before 2022.11. Crafted data in a DGN file and lack of verification of input data can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious DGN file should be read using ODA Drawings SDK

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43272

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Viewer - All Versions < 2022.11

    CVE-2021-43272

    Improper handling of exceptional conditions vulnerability exists in Open Design Alliance ODA Viewer sample before 2022.11. ODA Viewer continues process the invalid or malicious DWF files instead of stopping on exception. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Improper Check or Handling of Exceptional Conditions

    To exploit vulnerability malicious DWF file should be opened in ODA Viewer

    Mat Powell of Trend Micro Zero Day Initiative
• 22.10

  • CVE-2021-43279

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA PRC SDK - All Versions < 2022.10

    CVE-2021-43279

    Out of bounds write vulnerability exists in U3D files reading procedure in Open Design Alliance PRC SDK before 2022.10. Crafted data in a U3D file can trigger a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious U3D file should be converted into .prc file using ODA PRC SDK

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43277

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA PRC SDK - All Versions < 2022.10

    CVE-2021-43277

    Out of bounds read vulnerability exists in U3D files reading procedure in Open Design Alliance PRC SDK before 2022.10. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious U3D file should be converted into .prc file using ODA PRC SDK

    Mat Powell of Trend Micro Zero Day Initiative
• 22.8

  • CVE-2021-43391

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.8

    CVE-2021-43391

    Out-of-Bounds Read vulnerability exists when reading a DXF file using Open Design Alliance Drawings SDK versions prior to 2022.11. The specific issue exists within the parsing of DXF files. Crafted data in a DXF file (invalid dash counter in line types) can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Out-of-Bounds Read

    To exploit vulnerability, malicious DXF file should be read using ODA Drawings SDK.

    Mat Powell & Jimmy Calderon (@vectors2final) of Trend Micro Zero Day Initiative
  • CVE-2021-43280

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.8

    CVE-2021-43280

    Stack-based buffer overflow vulnerability exists in the DWF file reading procedure in Open Design Alliance Drawings SDK before 2022.8. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Stack-based Buffer Overflow

    To exploit vulnerability malicious DWF file should be read using ODA Drawings SDK

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43276

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    ODA Viewer - All Versions < 2022.8

    CVE-2021-43276

    Out-of-bounds Read vulnerability exists in Open Design Alliance ODA Viewer sample before 2022.8. Crafted data in a DWF file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

    Out-of-bounds Read

    To exploit vulnerability malicious DWF file should be opened in ODA Viewer sample

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-43275

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.8

    CVE-2021-43275

    Use After Free vulnerability exists in the DGN file reading procedure in Open Design Alliance Drawings SDK before 2022.8. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.

    Use After Free

    To exploit vulnerability malicious DGN file should be read by ODA Drawings SDK

    Mat Powell of Trend Micro Zero Day Initiative
• 22.5

  • CVE-2021-32952

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.5

    CVE-2021-32952

    Out-of-bounds Write vulnerability exists in the DGN file-reading procedure in Open Design Alliance Drawings SDK before 2022.5. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malformed DGN file should be read.

    Trend Micro Zero Day Initiative
  • CVE-2021-32946

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.5

    CVE-2021-32946

    Improper check for Unusual or Exceptional Conditions vulnerability exists within the parsing DGN files in Open Design Alliance Drawing SDK before 2022.5. The issue results from the lack of proper validation of the user-supplied data, which may result in many types of out-of-bounds problems (CWE-119). It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process.

    Improper Check for Unusual or Exceptional Conditions

    To exploit vulnerability malformed DGN file should be read.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-32940

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.5

    CVE-2021-32940

    Out-of-bounds Read vulnerability exists in the DWG file-recovering procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations.

    Out-of-bounds Read

    To exploit vulnerability malicious DWG file should be open via recover.

    Mat Powell of Trend Micro Zero Day Initiative
• 22.4

  • CVE-2021-32950

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.4

    CVE-2021-32950

    Out-of-bounds Read vulnerability exists within the parsing of DXF files in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations.

    Out-of-bounds Read

    To exploit vulnerability malformed DXF file should be opened.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-32948

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.4

    CVE-2021-32948

    Out-of-bounds Write vulnerability exists in the DWG file-reading procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious DWG file should be opened.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-32944

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.4

    CVE-2021-32944

    Use-after-free vulnerability exists in the DGN file-reading procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption or possibly arbitrary code execution. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process.

    Use After Free

    To exploit vulnerability malformed DGN file should be opened.

    Trend Micro Zero Day Initiative
  • CVE-2021-32938

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.4

    CVE-2021-32938

    Out-of-bounds Read vulnerability exists within the parsing of DWG files in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations.

    Out-of-bounds Read

    To exploit vulnerability malicious DWG file should be open.

    Mat Powell of Trend Micro Zero Day Initiative
  • CVE-2021-32936

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2022.4

    CVE-2021-32936

    Out-of-bounds Write vulnerability exists in the DXF file-recovering procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process.

    Out-of-bounds Write

    To exploit vulnerability malicious DXF file should be opened via recover.

    Mat Powell of Trend Micro Zero Day Initiative
• 21.12

  • CVE-2021-25174

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.12

    CVE-2021-25174

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).

    Memory Allocation with Excessive Size Value

    To exploit vulnerability malformed DGN file should be opened.

    Trend Micro Zero Day Initiative
  • CVE-2021-25173

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.12

    CVE-2021-25173

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).

    Memory Allocation with Excessive Size Value

    To exploit vulnerability malformed DGN file should be opened.

    Trend Micro Zero Day Initiative
• 21.11

  • CVE-2021-25178

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All versions < 2021.11

    CVE-2021-25178

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution.

    Buffer Overflow

    To exploit vulnerability malformed drawing file should be opened via 'recover'.

    Trend Micro Zero Day Initiative
  • CVE-2021-25177

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.11

    CVE-2021-25177

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).

    Access of Resource Using Incompatible Type ('Type Confusion’)

    To exploit vulnerability malformed drawing file should be rendered.

    Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
  • CVE-2021-25176

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.11

    CVE-2021-25176

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).

    Untrusted Pointer Dereference

    To exploit vulnerability malformed drawing file should be rendered.

    Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
  • CVE-2021-25175

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.11

    CVE-2021-25175

    An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart).

    Incorrect Type Conversion or Cast

    To exploit vulnerability malformed drawing file should be rendered.

    Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
• 21.6

  • CVE-2021-31784

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - All Versions < 2021.6

    CVE-2021-31784

    An out-of-bounds write vulnerability exists in the file-reading procedure in Open Design Alliance Drawings SDK before 2021.6 on all supported by ODA platforms in static configuration. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution.

    Buffer Overflow

    To exploit vulnerability malformed DXF file should be opened.

    Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
• 2019Update2

  • CVE-2018-18224

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - 2019Update1

    CVE-2018-18224

    A vulnerability exists in the file reading procedure in Open Design Alliance Drawings SDK 2019Update1 on non-Windows platforms in which attackers could perform read operations past the end, or before the beginning, of the intended buffer. This can allow attackers to obtain sensitive information from process memory or cause a crash.

    Buffer Overflow

    N/A

    Oracle
  • CVE-2018-18223

    Affected Product
    Code Base

    Vulnerability
    Name

    描述

    Vulnerability
    Type

    Attack Vectors

    Discoverer(s)/
    Credits

    Drawings SDK - 2019Update1

    CVE-2018-18223

    Open Design Alliance Drawings SDK 2019Update1 has a vulnerability during the reading of malformed files, allowing attackers to obtain sensitive information from process memory or cause a crash.

    Buffer Overflow

    To exploit vulnerability broken drawing file should be opened.

    Oracle