https://www.3ds.com/vulnerability/advisories <br/></td> CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>https://www.3ds.com/vulnerability/advisories <br/></td> CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-3298

Out-of-bounds Write (CWE-787)

Published: Apr 4, 2024 / Updated: 7mo ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Dassault Syst&#232;mes has issued an update to correct this vulnerability. More details can be found at: https://www.3ds.com/vulnerability/advisories

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-3298

Apr 4, 2024 at 8:15 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Apr 4, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-3298. See article

Apr 4, 2024 at 3:24 PM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.7%)

Apr 5, 2024 at 3:44 PM
Static CVE Timeline Graph

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-254/
+null more

News

Multiple vulnerabilities exist in file reading procedure in eDrawings from Re...
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. Mat Powell of Trend Micro Zero Day Initiative finder
Dassault Systèmes Security Advisories
These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file. Teamwork Cloud - Standard Edition from No Magic Release 2021x through No Magic Release 2022x Medium Link to Support Knowledge Base (KB) 2023-09-13 CVE-2023-3588 Stored Cross-site Scripting (XSS) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x A stored Cross-site Scripting (XSS) vulnerability affecting Teamwork Cloud from No Magic Release 2021x through No Magic Release 2022x allows an attacker to execute arbitrary script code.
eDrawings Viewer DXF File Parsing RCE Vulnerability - 202405010004
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Systèmes eDrawings Viewer. CVE Severity CVSS Product(s) Affected Summary Dated CVE-2024-3298 Critical 7.8 from Release SOLIDWORKS 2023
eDrawings Viewer DXF File Parsing RCE Vulnerability - 20240509004
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Systèmes eDrawings Viewer. CVE Severity CVSS Product(s) Affected Summary Dated CVE-2024-3298 Critical 7.8 from Release SOLIDWORKS 2023
ZDI-24-431: Dassault Systèmes eDrawings Viewer DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings Viewer. Dassault Systèmes has issued an update to correct this vulnerability.
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI