ODA Security Advisories

Vulnerabilities in the ODA Drawings Software Development Kit

Vulnerability Name Description Vulnerability Type Affected Product Code Base Attack Type CVE Impact Other Attack Vectors
CVE-2021-31784 An out-of-bounds write vulnerability exists in the file-reading procedure in Open Design Alliance Drawings SDK before 2021.6 on all supported by ODA platforms in static configuration. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution. Buffer Overflow Drawings SDK - All Versions < 2021.6.
Fixed in 2021.6.
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DXF file should be opened.
CVE-2021-25178 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution. Buffer Overflow Drawings SDK - All versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed drawing file should be opened via 'recover'.
CVE-2021-25177 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Confusion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Access of Resource Using Incompatible Type ('Type Confusion’) Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25176 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Untrusted Pointer Dereference Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25175 An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A Type Conversion issue exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). Incorrect Type Conversion or Cast Drawings SDK - All Versions < 2021.11.
Fixed in 2021.11
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack. To exploit vulnerability malformed drawing file should be rendered.
CVE-2021-25174 An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart). Memory Allocation with Excessive Size Value Drawings SDK - All Versions < 2021.12.
Fixed in 2021.12
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DGN file should be opened.
CVE-2021-25173 An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart). Memory Allocation with Excessive Size Value Drawings SDK - All Versions < 2021.12.
Fixed in 2021.12
Context-dependent This can allow attackers to cause a crash potentially enabling a denial of service attack or possible code execution. To exploit vulnerability malformed DGN file should be opened.
CVE-2018-18223 Open Design Alliance Drawings SDK 2019Update1 has a vulnerability during the reading of malformed files, allowing attackers to obtain sensitive information from process memory or cause a crash. Buffer Overflow Drawings SDK - 2019Update1 Context-dependent This can allow attackers to read sensitive information from other memory locations or cause a crash. To exploit vulnerability broken drawing file should be opened.
CVE-2018-18224 A vulnerability exists in the file reading procedure in Open Design Alliance Drawings SDK 2019Update1 on non-Windows platforms in which attackers could perform read operations past the end, or before the beginning, of the intended buffer. This can allow attackers to obtain sensitive information from process memory or cause a crash. Buffer Overflow Drawings SDK - 2019Update1 Context-dependent This can allow attackers to read sensitive information from other memory locations or cause a crash.