CVE-2021-25178
Siemens JT2Go DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A stack-based buffer overflow vulnerability exists when the recover operation is run with malformed .DXF and .DWG files. This can allow attackers to cause a crash potentially enabling a denial of service attack (Crash, Exit, or Restart) or possible code execution.
Se detectó un problema en Open Design Alliance Drawings SDK versiones anteriores a 2021.11. Se presenta una vulnerabilidad de desbordamiento del búfer en la región stack de la memoria cuando la operación de recuperación se ejecuta con archivos .DXF y .DWG malformados. Esto puede permitir a los atacantes causar un bloqueo permitiendo potencialmente un ataque de denegación de servicio (bloqueo, salida o reinicio) o una posible ejecución de código
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens JT2Go. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-15 CVE Reserved
- 2021-01-18 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-21-220 | Third Party Advisory |
|
| https://www.zerodayinitiative.com/advisories/ZDI-21-240 | Third Party Advisory |
|
| https://www.zerodayinitiative.com/advisories/ZDI-21-243 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-155599.pdf | 2022-04-08 | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf | 2022-04-08 |
| URL | Date | SRC |
|---|---|---|
| https://www.opendesign.com/security-advisories | 2022-04-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Opendesign Search vendor "Opendesign" | Drawings Software Development Kit Search vendor "Opendesign" for product "Drawings Software Development Kit" | < 2021.11 Search vendor "Opendesign" for product "Drawings Software Development Kit" and version " < 2021.11" | - |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Comos Search vendor "Siemens" for product "Comos" | < 10.4.1 Search vendor "Siemens" for product "Comos" and version " < 10.4.1" | - |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Jt2go Search vendor "Siemens" for product "Jt2go" | < 13.1.0.1 Search vendor "Siemens" for product "Jt2go" and version " < 13.1.0.1" | - |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Teamcenter Visualization Search vendor "Siemens" for product "Teamcenter Visualization" | < 13.1.0.1 Search vendor "Siemens" for product "Teamcenter Visualization" and version " < 13.1.0.1" | - |
Affected
| ||||||