CVE-2022-33886

A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023, 2022, 2021, 2020, and Maya 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. A malicious actor could leverage this vulnerability to execute arbitrary code.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:autodesk:autocad::::::::
	cpe:2.3:a:autodesk:autocad::::::::
	cpe:2.3:a:autodesk:autocad_advance_steel::::::::
	cpe:2.3:a:autodesk:autocad_advance_steel::::::::
	cpe:2.3:a:autodesk:autocad_architecture::::::::
	cpe:2.3:a:autodesk:autocad_architecture::::::::
	cpe:2.3:a:autodesk:autocad_civil_3d::::::::
	cpe:2.3:a:autodesk:autocad_civil_3d::::::::
	cpe:2.3:a:autodesk:autocad_electrical::::::::
	cpe:2.3:a:autodesk:autocad_electrical::::::::
	cpe:2.3:a:autodesk:autocad_lt::::::::
	cpe:2.3:a:autodesk:autocad_lt::::::::
	cpe:2.3:a:autodesk:autocad_map_3d::::::::
	cpe:2.3:a:autodesk:autocad_map_3d::::::::
	cpe:2.3:a:autodesk:autocad_mechanical::::::::
	cpe:2.3:a:autodesk:autocad_mechanical::::::::
	cpe:2.3:a:autodesk:autocad_mep::::::::
	cpe:2.3:a:autodesk:autocad_mep::::::::
	cpe:2.3:a:autodesk:autocad_plant_3d::::::::
	cpe:2.3:a:autodesk:autocad_plant_3d::::::::

History

17 Apr 2023, 21:15

Type	Values Removed	Values Added
Summary	A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.	A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023, 2022, 2021, 2020, and Maya 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. A malicious actor could leverage this vulnerability to execute arbitrary code.

05 Oct 2022, 13:14

Type	Values Removed	Values Added
First Time		Autodesk Autodesk autocad Architecture Autodesk autocad Civil 3d Autodesk autocad Map 3d Autodesk autocad Advance Steel Autodesk autocad Lt Autodesk autocad Electrical Autodesk autocad Autodesk autocad Mechanical Autodesk autocad Mep Autodesk autocad Plant 3d
CPE		cpe:2.3:a:autodesk:autocad:::::::: cpe:2.3:a:autodesk:autocad_civil_3d:::::::: cpe:2.3:a:autodesk:autocad_architecture:::::::: cpe:2.3:a:autodesk:autocad_plant_3d:::::::: cpe:2.3:a:autodesk:autocad_map_3d:::::::: cpe:2.3:a:autodesk:autocad_mechanical:::::::: cpe:2.3:a:autodesk:autocad_mep:::::::: cpe:2.3:a:autodesk:autocad_advance_steel:::::::: cpe:2.3:a:autodesk:autocad_electrical:::::::: cpe:2.3:a:autodesk:autocad_lt::::::::
CWE		CWE-755
References	~~(MISC) https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020 -~~	(MISC) https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

03 Oct 2022, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-03 15:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-33886

Mitre link : CVE-2022-33886

CVE.ORG link : CVE-2022-33886

JSON object : View

Products Affected

autodesk

autocad_plant_3d
autocad_electrical
autocad_lt
autocad_mep
autocad_civil_3d
autocad
autocad_advance_steel
autocad_mechanical
autocad_map_3d
autocad_architecture

CWE

CWE-755

Improper Handling of Exceptional Conditions

7.8 /10