CWE-457
Use of Uninitialized Variable
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
CVE-2023-42079 (GCVE-0-2023-42079)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:12 – Updated: 2024-08-02 19:16
VLAI
Title
PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability
Summary
PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-21851.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://www.tracker-software.com/support/security… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PDF-XChange | PDF-XChange Editor |
Affected:
10.0.1.371
|
|
| pdf-xchange | pdf-xchange_editor |
Affected:
10.0.1.371
cpe:2.3:a:pdf-xchange:pdf-xchange_editor:10.0.1.371:*:*:*:*:*:*:* |
Date Public
2023-09-08 16:30
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pdf-xchange:pdf-xchange_editor:10.0.1.371:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pdf-xchange_editor",
"vendor": "pdf-xchange",
"versions": [
{
"status": "affected",
"version": "10.0.1.371"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T18:08:24.527781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:25:40.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:50.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1380",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1380/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.tracker-software.com/support/security-bulletins.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "PDF-XChange Editor",
"vendor": "PDF-XChange",
"versions": [
{
"status": "affected",
"version": "10.0.1.371"
}
]
}
],
"dateAssigned": "2023-09-06T21:25:45.253Z",
"datePublic": "2023-09-08T16:30:29.722Z",
"descriptions": [
{
"lang": "en",
"value": "PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-21851."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:12:56.230Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1380",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1380/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.tracker-software.com/support/security-bulletins.html"
}
],
"source": {
"lang": "en",
"value": "Mat Powell of Trend Micro Zero Day Initiative"
},
"title": "PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-42079",
"datePublished": "2024-05-03T02:12:56.230Z",
"dateReserved": "2023-09-06T21:13:00.550Z",
"dateUpdated": "2024-08-02T19:16:50.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50188 (GCVE-0-2023-50188)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
VLAI
Title
Trimble SketchUp Viewer SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability
Summary
Trimble SketchUp Viewer SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SKP files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20792.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trimble | SketchUp Viewer |
Affected:
22.0.354
|
|
| trimble | sketchup_viewer |
Affected:
22.0.354
cpe:2.3:a:trimble:sketchup_viewer:22.0.354:*:*:*:*:*:*:* |
Date Public
2023-12-20 20:56
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:trimble:sketchup_viewer:22.0.354:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sketchup_viewer",
"vendor": "trimble",
"versions": [
{
"status": "affected",
"version": "22.0.354"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50188",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-06T13:20:03.535108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:52.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:09:49.652Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1838",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1838/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SketchUp Viewer",
"vendor": "Trimble",
"versions": [
{
"status": "affected",
"version": "22.0.354"
}
]
}
],
"dateAssigned": "2023-12-05T19:37:59.483Z",
"datePublic": "2023-12-20T20:56:21.852Z",
"descriptions": [
{
"lang": "en",
"value": "Trimble SketchUp Viewer SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SKP files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20792."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:14:15.489Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1838",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1838/"
}
],
"source": {
"lang": "en",
"value": "Anonymous"
},
"title": "Trimble SketchUp Viewer SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-50188",
"datePublished": "2024-05-03T02:14:15.489Z",
"dateReserved": "2023-12-05T16:15:17.537Z",
"dateUpdated": "2024-08-02T22:09:49.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6324 (GCVE-0-2023-6324)
Vulnerability from cvelistv5 – Published: 2024-05-15 12:09 – Updated: 2024-08-02 08:28
VLAI
Title
ThroughTek Kalay SDK error in handling the PSK identity
Summary
ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
1 reference
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| ThroughTek | Kalay SDK |
Affected:
3.1.10.0 , ≤ 3.1.10.16
(custom)
Affected: 3.2.0.0 , ≤ 3.3.6.1 (custom) Affected: 3.4.0.0 , ≤ 3.4.7.3 (custom) Affected: 4.0.0.0 , ≤ 4.3.3.1 (custom) |
|
| throughtek | kalay_sdk |
Affected:
3.1.10.0
cpe:2.3:a:throughtek:kalay_sdk:3.1.10.0:*:*:*:*:*:*:* |
|
| throughtek | kalay_sdk |
Affected:
3.2.0.0
cpe:2.3:a:throughtek:kalay_sdk:3.2.0.0:*:*:*:*:*:*:* |
|
| throughtek | kalay_sdk |
Affected:
3.4.0.0
cpe:2.3:a:throughtek:kalay_sdk:3.4.0.0:*:*:*:*:*:*:* |
|
| throughtek | kalay_sdk |
Affected:
4.0.0.0
cpe:2.3:a:throughtek:kalay_sdk:4.0.0.0:*:*:*:*:*:*:* |
Date Public
2024-05-15 12:00
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:throughtek:kalay_sdk:3.1.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kalay_sdk",
"vendor": "throughtek",
"versions": [
{
"status": "affected",
"version": "3.1.10.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:throughtek:kalay_sdk:3.2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kalay_sdk",
"vendor": "throughtek",
"versions": [
{
"status": "affected",
"version": "3.2.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:throughtek:kalay_sdk:3.4.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kalay_sdk",
"vendor": "throughtek",
"versions": [
{
"status": "affected",
"version": "3.4.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:throughtek:kalay_sdk:4.0.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "kalay_sdk",
"vendor": "throughtek",
"versions": [
{
"status": "affected",
"version": "4.0.0.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T16:02:56.677237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:17:18.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bitdefender.com/blog/labs/notes-on-throughtek-kalay-vulnerabilities-and-their-impact/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kalay SDK",
"vendor": "ThroughTek",
"versions": [
{
"lessThanOrEqual": "3.1.10.16",
"status": "affected",
"version": "3.1.10.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.3.6.1",
"status": "affected",
"version": "3.2.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.4.7.3",
"status": "affected",
"version": "3.4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.3.3.1",
"status": "affected",
"version": "4.0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexandru Lazar"
},
{
"lang": "en",
"type": "finder",
"value": "Radu Basaraba"
}
],
"datePublic": "2024-05-15T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity \u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457 Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T12:09:29.682Z",
"orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"shortName": "Bitdefender"
},
"references": [
{
"url": "https://bitdefender.com/blog/labs/notes-on-throughtek-kalay-vulnerabilities-and-their-impact/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ThroughTek Kalay SDK error in handling the PSK identity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82",
"assignerShortName": "Bitdefender",
"cveId": "CVE-2023-6324",
"datePublished": "2024-05-15T12:09:29.682Z",
"dateReserved": "2023-11-27T14:22:36.362Z",
"dateUpdated": "2024-08-02T08:28:21.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10204 (GCVE-0-2024-10204)
Vulnerability from cvelistv5 – Published: 2024-11-19 13:15 – Updated: 2024-11-19 14:09
VLAI
Title
Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025
Summary
Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in the X_B and SAT file reading procedure in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted X_B or SAT file.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dassault Systèmes | eDrawings |
Affected:
Release SOLIDWORKS 2024 SP0 , ≤ Release SOLIDWORKS 2024 SP5
(custom)
Affected: Release SOLIDWORKS 2025 SP0 |
|
| dassault | edrawings |
Affected:
solidworks_2024_sp0 , ≤ solidworks_2024_sp5
(custom)
Affected: solidworks_2025_sp0 cpe:2.3:a:dassault:edrawings:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dassault:edrawings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "edrawings",
"vendor": "dassault",
"versions": [
{
"lessThanOrEqual": "solidworks_2024_sp5",
"status": "affected",
"version": "solidworks_2024_sp0",
"versionType": "custom"
},
{
"status": "affected",
"version": "solidworks_2025_sp0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T14:04:48.309764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:09:14.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "eDrawings",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release SOLIDWORKS 2024 SP5",
"status": "affected",
"version": "Release SOLIDWORKS 2024 SP0",
"versionType": "custom"
},
{
"status": "affected",
"version": "Release SOLIDWORKS 2025 SP0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mat Powell of Trend Micro Zero Day Initiative"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Andrea Micalizzi aka rgod (@rgod777) working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in the X_B and SAT file reading procedure in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted X_B or SAT file."
}
],
"value": "Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in the X_B and SAT file reading procedure in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted X_B or SAT file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T13:15:41.223Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2024-10204",
"datePublished": "2024-11-19T13:15:41.223Z",
"dateReserved": "2024-10-21T07:28:40.214Z",
"dateUpdated": "2024-11-19T14:09:14.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10934 (GCVE-0-2024-10934)
Vulnerability from cvelistv5 – Published: 2024-11-15 19:20 – Updated: 2025-10-02 14:09
VLAI
Title
OpenBSD NFS double-free vulnerability
Summary
In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021,
avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Date Public
2024-11-15 00:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openbsd",
"vendor": "openbsd",
"versions": [
{
"lessThan": "7.5_errata_008",
"status": "affected",
"version": "7.5",
"versionType": "custom"
},
{
"lessThan": "7.4_errata_021",
"status": "affected",
"version": "7.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T19:46:59.490027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T19:47:11.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "OpenBSD",
"vendor": "OpenBSD",
"versions": [
{
"status": "affected",
"version": "7.5"
},
{
"status": "affected",
"version": "7.4"
}
]
}
],
"datePublic": "2024-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, \navoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y",
"version": "4.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457 Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T14:09:00.828Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.5/common/008_nfs.patch.sig"
},
{
"name": "url",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.4/common/021_nfs.patch.sig"
}
],
"title": "OpenBSD NFS double-free vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-10934",
"datePublished": "2024-11-15T19:20:02.231Z",
"dateReserved": "2024-11-06T18:12:18.387Z",
"dateUpdated": "2025-10-02T14:09:00.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1847 (GCVE-0-2024-1847)
Vulnerability from cvelistv5 – Published: 2024-02-28 17:34 – Updated: 2024-09-02 08:11
VLAI
Title
Multiple vulnerabilities exist in file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024
Summary
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dassault Systèmes | eDrawings |
Affected:
Release SOLIDWORKS 2023 SP0 , ≤ Release SOLIDWORKS 2023 SP5
(custom)
Affected: Release SOLIDWORKS 2024 SP0 , ≤ Release SOLIDWORKS 2024 SP1 (custom) |
|
| 3ds | edrawings |
Affected:
2023 , ≤ 2023_sp5
(custom)
cpe:2.3:a:3ds:edrawings:2023:sp0:*:*:*:*:*:* |
|
| 3ds | edrawings |
Affected:
2024 , ≤ 2024_sp1
(custom)
cpe:2.3:a:3ds:edrawings:2024:sp0:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:3ds:edrawings:2023:sp0:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "edrawings",
"vendor": "3ds",
"versions": [
{
"lessThanOrEqual": "2023_sp5",
"status": "affected",
"version": "2023",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:3ds:edrawings:2024:sp0:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "edrawings",
"vendor": "3ds",
"versions": [
{
"lessThanOrEqual": "2024_sp1",
"status": "affected",
"version": "2024",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T20:15:41.666871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:33:34.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "eDrawings",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release SOLIDWORKS 2023 SP5",
"status": "affected",
"version": "Release SOLIDWORKS 2023 SP0",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release SOLIDWORKS 2024 SP1",
"status": "affected",
"version": "Release SOLIDWORKS 2024 SP0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mat Powell of Trend Micro Zero Day Initiative"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Francis Provencher {PRL}"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "rgod"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID."
}
],
"value": "Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T08:11:23.914Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple vulnerabilities exist in file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2024-1847",
"datePublished": "2024-02-28T17:34:00.666Z",
"dateReserved": "2024-02-23T16:39:26.436Z",
"dateUpdated": "2024-09-02T08:11:23.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1848 (GCVE-0-2024-1848)
Vulnerability from cvelistv5 – Published: 2024-03-22 10:58 – Updated: 2024-09-02 08:10
VLAI
Title
Multiple vulnerabilities exist in file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024
Summary
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024.
These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Dassault Systèmes | SOLIDWORKS Desktop |
Affected:
Release SOLIDWORKS 2024 SP0 , ≤ Release SOLIDWORKS 2024 SP1
(custom)
|
|
| 3ds | 3dexperience_solidworks |
Affected:
2024 , ≤ 2024_sp1
(custom)
cpe:2.3:a:3ds:3dexperience_solidworks:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:3ds:3dexperience_solidworks:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "3dexperience_solidworks",
"vendor": "3ds",
"versions": [
{
"lessThanOrEqual": "2024_sp1",
"status": "affected",
"version": "2024",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-27T13:54:59.990290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T22:52:08.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SOLIDWORKS Desktop",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release SOLIDWORKS 2024 SP1",
"status": "affected",
"version": "Release SOLIDWORKS 2024 SP0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024.\u003cbr\u003eThese vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file."
}
],
"value": "Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024.\nThese vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T08:10:55.832Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple vulnerabilities exist in file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2024-1848",
"datePublished": "2024-03-22T10:58:51.824Z",
"dateReserved": "2024-02-23T16:39:37.098Z",
"dateUpdated": "2024-09-02T08:10:55.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23137 (GCVE-0-2024-23137)
Vulnerability from cvelistv5 – Published: 2024-02-22 04:49 – Updated: 2025-08-28 14:27
VLAI
Title
Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software
Summary
A maliciously crafted STP or SLDPRT file, when parsed in ODXSW_DLL.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process.
Severity
7.8 (High)
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
Impacted products
12 products
| Vendor | Product | Version | |
|---|---|---|---|
| Autodesk | AutoCAD |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Architecture |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_architecture:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Electrical |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_electrical:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Mechanical |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_mechanical:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechnaical:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechanical:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD MEP |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_mep:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Plant 3D |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_plant_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2021:*:*:*:*:*:*:* |
|
| Autodesk | Civil 3D |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:civil_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2021:*:*:*:*:*:*:* |
|
| Autodesk | Advance Steel |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:advance_steel:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2021:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD MAP 3D |
Affected:
2025 , < 2025.0.1
(custom)
Affected: 2024 , < 2024.1.3 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2022 , < 2022.1.4 (custom) Affected: 2021 , < 2021.1.4 (custom) cpe:2.3:a:autodesk:autocad_map_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2021:*:*:*:*:*:*:* |
|
| autodesk | autocad_advance_steel |
Affected:
2021 , < 2021.1.4
(custom)
Affected: 2022 , < 2022.1.4 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2024 , < 2024.1.3 (custom) Affected: 2025 , < 2025.0.1 (custom) cpe:2.3:a:autodesk:autocad_advance_steel:2021:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_advance_steel:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_advance_steel:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_advance_steel:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_advance_steel:2025:*:*:*:*:*:*:* |
|
| autodesk | autocad_civil_3d |
Affected:
2021 , < 2021.1.4
(custom)
Affected: 2022 , < 2022.1.4 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2024 , < 2024.1.3 (custom) Affected: 2025 , < 2025.0.1 (custom) cpe:2.3:a:autodesk:autocad_civil_3d:2021:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_civil_3d:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_civil_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_civil_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_civil_3d:2025:*:*:*:*:*:*:* |
|
| autodesk | autocad |
Affected:
2021 , < 2021.1.4
(custom)
Affected: 2022 , < 2022.1.4 (custom) Affected: 2023 , < 2023.1.5 (custom) Affected: 2024 , < 2024.1.3 (custom) Affected: 2025 , < 2025.0.1 (custom) cpe:2.3:a:autodesk:autocad:2021:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_advance_steel:2021:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_advance_steel:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_advance_steel:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_advance_steel:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_advance_steel:2025:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_advance_steel",
"vendor": "autodesk",
"versions": [
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_civil_3d:2021:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_civil_3d:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_civil_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_civil_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_civil_3d:2025:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_civil_3d",
"vendor": "autodesk",
"versions": [
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad:2021:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad",
"vendor": "autodesk",
"versions": [
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T14:01:49.435037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:24:17.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:30.731Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_architecture:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Architecture",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_electrical:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Electrical",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mechanical:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechnaical:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechanical:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Mechanical",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mep:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD MEP",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_plant_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Plant 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:civil_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Civil 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:advance_steel:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Advance Steel",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_map_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2021:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD MAP 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.0.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.3",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.5",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.4",
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"lessThan": "2021.1.4",
"status": "affected",
"version": "2021",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA maliciously crafted STP or SLDPRT file, when parsed in ODXSW_DLL.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A maliciously crafted STP or SLDPRT file, when parsed in ODXSW_DLL.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:27:03.473Z",
"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
"shortName": "autodesk"
},
"references": [
{
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002"
},
{
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004"
},
{
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
"assignerShortName": "autodesk",
"cveId": "CVE-2024-23137",
"datePublished": "2024-02-22T04:49:50.154Z",
"dateReserved": "2024-01-11T21:47:40.857Z",
"dateUpdated": "2025-08-28T14:27:03.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23159 (GCVE-0-2024-23159)
Vulnerability from cvelistv5 – Published: 2024-06-25 03:33 – Updated: 2025-08-26 20:48
VLAI
Title
Multiple ZDI Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based products
Summary
A maliciously crafted STP file, when parsed in stp_aim_x64_vc15d.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
1 reference
Impacted products
18 products
| Vendor | Product | Version | |
|---|---|---|---|
| Autodesk | AutoCAD |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Architecture |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_architecture:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Electrical |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_electrical:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Mechanical |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_mechanical:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechnaical:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD MEP |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_mep:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD Plant 3D |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_plant_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:* |
|
| Autodesk | Civil 3D |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:civil_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:civil_3d:2022:*:*:*:*:*:*:* |
|
| Autodesk | Advance Steel |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:advance_steel:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:* |
|
| Autodesk | AutoCAD MAP 3D |
Affected:
2025 , < 2025.1
(custom)
Affected: 2024 , < 2024.1.5 (custom) Affected: 2023 , < 2023.1.6 (custom) Affected: 2022 , < 2022.1.5 (custom) cpe:2.3:a:autodesk:autocad_map_3d:2025:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2023:*:*:*:*:*:*:* cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:* |
|
| autodesk | autocad |
Affected:
2024
cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:* |
|
| autodesk | advance_steel |
Affected:
2024
cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:* |
|
| autodesk | civil_3d |
Affected:
2024
cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_architecture |
Affected:
2024
cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_electrical |
Affected:
2024
cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_map_3d |
Affected:
2024
cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_mechanical |
Affected:
2024
cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_mep |
Affected:
2024
cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:* |
|
| autodesk | autocad_plant_3d |
Affected:
2024
cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "advance_steel",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "civil_3d",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_architecture",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_electrical",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_map_3d",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_mechanical",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_mep",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autocad_plant_3d",
"vendor": "autodesk",
"versions": [
{
"status": "affected",
"version": "2024"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T20:33:57.567211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:48:14.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:31.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:autodesk:autocad:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_architecture:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Architecture",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_electrical:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Electrical",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mechanical:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechanical:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechnaical:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Mechanical",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_mep:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD MEP",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_plant_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD Plant 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:civil_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:civil_3d:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Civil 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:advance_steel:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Advance Steel",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:autodesk:autocad_map_3d:2025:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2024:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2023:*:*:*:*:*:*:*",
"cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "AutoCAD MAP 3D",
"vendor": "Autodesk",
"versions": [
{
"lessThan": "2025.1",
"status": "affected",
"version": "2025",
"versionType": "custom"
},
{
"lessThan": "2024.1.5",
"status": "affected",
"version": "2024",
"versionType": "custom"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023",
"versionType": "custom"
},
{
"lessThan": "2022.1.5",
"status": "affected",
"version": "2022",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA maliciously crafted STP file, when parsed in stp_aim_x64_vc15d.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A maliciously crafted STP file, when parsed in stp_aim_x64_vc15d.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T17:53:08.997Z",
"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
"shortName": "autodesk"
},
"references": [
{
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple ZDI Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based products",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601",
"assignerShortName": "autodesk",
"cveId": "CVE-2024-23159",
"datePublished": "2024-06-25T03:33:00.849Z",
"dateReserved": "2024-01-11T21:51:41.602Z",
"dateUpdated": "2025-08-26T20:48:14.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26147 (GCVE-0-2024-26147)
Vulnerability from cvelistv5 – Published: 2024-02-21 22:21 – Updated: 2024-08-14 19:55
VLAI
Title
Helm's Missing YAML Content Leads To Panic
Summary
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/helm/helm/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/helm/helm/commit/bb4cc9125503a… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6"
},
{
"name": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "helm",
"vendor": "helm",
"versions": [
{
"lessThan": "3.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T19:54:40.217354Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T19:55:28.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm",
"vendor": "helm",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T22:21:42.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6"
},
{
"name": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af"
}
],
"source": {
"advisory": "GHSA-r53h-jv2g-vpx6",
"discovery": "UNKNOWN"
},
"title": "Helm\u0027s Missing YAML Content Leads To Panic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26147",
"datePublished": "2024-02-21T22:21:42.658Z",
"dateReserved": "2024-02-14T17:40:03.689Z",
"dateUpdated": "2024-08-14T19:55:28.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-57
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- Ensure that critical variables are initialized before first use [REF-1485].
Mitigation
Phase: Build and Compilation
Strategy: Compilation or Build Hardening
Description:
- Most compilers will complain about the use of uninitialized variables if warnings are turned on.
Mitigation
Phases: Implementation, Operation
Description:
- When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
Mitigation
Phase: Requirements
Strategy: Language Selection
Description:
- Choose a language that is not susceptible to these issues.
Mitigation
Phase: Architecture and Design
Description:
- Mitigating technologies such as safe string libraries and container abstractions could be introduced.
No CAPEC attack patterns related to this CWE.