ODA Security Advisories

Vulnerabilities in the ODA Drawings Software Development Kit

Vulnerability Name Description Vulnerability Type Affected Product Code Base Attack Type CVE Impact Other Attack Vectors
CVE-2021-32938 Out-of-bounds Read vulnerability exists within the parsing of DWG files in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations. Out-of-bounds Read Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or read sensitive information from memory locations. To exploit vulnerability malicious DWG file should be open.
CVE-2021-32936 Out-of-bounds Write vulnerability exists in the DXF file-recovering procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. Out-of-bounds Write Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or read sensitive information from memory locations. To exploit vulnerability malicious DXF file should be opened via recover.
CVE-2021-32940 Out-of-bounds Read vulnerability exists in the DWG file-recovering procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations. Out-of-bounds Read Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or read sensitive information from memory locations. To exploit vulnerability malicious DWG file should be open via recover.
CVE-2021-32946 Improper check for Unusual or Exceptional Conditions vulnerability exists within the parsing DGN files in Open Design Alliance Drawing SDK before 2022.5. The issue results from the lack of proper validation of the user-supplied data, which may result in many types of out-of-bounds problems (CWE-119). It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. Improper Check for Unusual or Exceptional Conditions Drawings SDK - All Versions < 2022.5.
Fixed in 2022.5
Context-dependent This can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. To exploit vulnerability malformed DGN file should be read.
CVE-2021-32948 Out-of-bounds Write vulnerability exists in the DWG file-reading procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. Out-of-bounds Write Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. To exploit vulnerability malicious DWG file should be opened.
CVE-2021-32950 Out-of-bounds Read vulnerability exists within the parsing of DXF files in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer and allows attackers to cause a denial of service (crash) or read sensitive information from memory locations. Out-of-bounds Read Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or read sensitive information from memory locations. To exploit vulnerability malformed DXF file should be opened.
CVE-2021-32952 Out-of-bounds Write vulnerability exists in the DGN file-reading procedure in Open Design Alliance Drawings SDK before 2022.5. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. Out-of-bounds Write Drawings SDK - All Versions < 2022.5.
Fixed in 2022.5
Context-dependent This can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. To exploit vulnerability malformed DGN file should be read.
CVE-2021-32944 Use-after-free vulnerability exists in the DGN file-reading procedure in Open Design Alliance Drawings SDK before 2022.4. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption or possibly arbitrary code execution. It can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. Use After Free Drawings SDK - All Versions < 2022.4.
Fixed in 2022.4
Context-dependent This can allow attackers to cause a denial of service (crash) or execute code in the context of the current process. To exploit vulnerability malformed DGN file should be opened.
CVE-2021-31784 An out-of-bounds write vulnerability exists in the file-reading procedure in Open Design Alliance Drawings SDK before 2021.6 on all supported by ODA platforms in static configuration. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution. Buffer Overflow Drawings SDK - All Versions < 2021.6.
Fixed in 2021.6.
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DXF file should be opened.
CVE-2021-25178 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution. Buffer Overflow Drawings SDK - All versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed drawing file should be opened via 'recover'.
CVE-2021-25177 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Access of Resource Using Incompatible Type ('Type Confusion’) Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25176 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Untrusted Pointer Dereference Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25175 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Incorrect Type Conversion or Cast Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25174 An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart). Memory Allocation with Excessive Size Value Drawings SDK - All Versions < 2021.12.
Fixed in 2021.12
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DGN file should be opened.
CVE-2021-25173 An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart). Memory Allocation with Excessive Size Value Drawings SDK - All Versions < 2021.12.
Fixed in 2021.12
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DGN file should be opened.
CVE-2018-18223 Open Design Alliance Drawings SDK 2019Update1 has a vulnerability during the reading of malformed files, allowing attackers to obtain sensitive information from process memory or cause a crash. Buffer Overflow Drawings SDK - 2019Update1 Context-dependent This can allow attackers to read sensitive information from other memory locations or cause a crash. To exploit vulnerability broken drawing file should be opened.
CVE-2018-18224 A vulnerability exists in the file reading procedure in Open Design Alliance Drawings SDK 2019Update1 on non-Windows platforms in which attackers could perform read operations past the end, or before the beginning, of the intended buffer. This can allow attackers to obtain sensitive information from process memory or cause a crash. Buffer Overflow Drawings SDK - 2019Update1 Context-dependent This can allow attackers to read sensitive information from other memory locations or cause a crash.