Multiple vulnerabilities in AutoCAD products
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2022-33884 CVE-2022-33885 CVE-2022-33886 CVE-2022-33887 CVE-2022-33888 |
| CWE-ID | CWE-125 CWE-787 CWE-248 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Autodesk AutoCAD Other software / Other software solutions AutoCAD Architecture Client/Desktop applications / Multimedia software AutoCAD Electrical Client/Desktop applications / Multimedia software AutoCAD Map 3D Client/Desktop applications / Multimedia software AutoCAD Mechanical Client/Desktop applications / Multimedia software AutoCAD MEP Client/Desktop applications / Multimedia software AutoCAD Plant 3D Client/Desktop applications / Multimedia software AutoCAD LT Client/Desktop applications / Multimedia software Autodesk Civil 3D Client/Desktop applications / Multimedia software Advance Steel Client/Desktop applications / Multimedia software |
| Vendor | Autodesk |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU67685
Risk: Medium
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-33884
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing X_B, PDF, and PCT files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAutodesk AutoCAD: 2022 - 2023.1
AutoCAD Architecture: 2022 - 2023.1
AutoCAD Electrical: 2022 - 2023.1
AutoCAD Map 3D: 2022 - 2023.1
AutoCAD Mechanical: 2022 - 2023.1
AutoCAD MEP: 2022 - 2023.1
AutoCAD Plant 3D: 2022 - 2023.1
AutoCAD LT: 2022.0 - 2023.1
Autodesk Civil 3D: 2022 - 2023.1
Advance Steel: 2022 - 2023.1
CPE2.3- cpe:2.3:a:autodesk:autodesk_autocad:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_autocad:2023.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_lt:2022.0:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_civil_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020
https://www.zerodayinitiative.com/advisories/ZDI-22-1316/
https://www.zerodayinitiative.com/advisories/ZDI-22-1315/
https://www.zerodayinitiative.com/advisories/ZDI-22-1314/
https://www.zerodayinitiative.com/advisories/ZDI-22-1311/
https://www.zerodayinitiative.com/advisories/ZDI-22-1308/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU67686
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-33885
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing CATIA and PDF files. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAutodesk AutoCAD: 2022 - 2023.1
AutoCAD Architecture: 2022 - 2023.1
AutoCAD Electrical: 2022 - 2023.1
AutoCAD Map 3D: 2022 - 2023.1
AutoCAD Mechanical: 2022 - 2023.1
AutoCAD MEP: 2022 - 2023.1
AutoCAD Plant 3D: 2022 - 2023.1
AutoCAD LT: 2022.0 - 2023.1
Autodesk Civil 3D: 2022 - 2023.1
Advance Steel: 2022 - 2023.1
CPE2.3- cpe:2.3:a:autodesk:autodesk_autocad:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_autocad:2023.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_lt:2022.0:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_civil_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020
https://www.zerodayinitiative.com/advisories/ZDI-22-1313/
https://www.zerodayinitiative.com/advisories/ZDI-22-1312/
https://www.zerodayinitiative.com/advisories/ZDI-22-1304/
https://www.zerodayinitiative.com/advisories/ZDI-22-1305/
https://www.zerodayinitiative.com/advisories/ZDI-22-1307/
https://www.zerodayinitiative.com/advisories/ZDI-22-1309/
https://www.zerodayinitiative.com/advisories/ZDI-22-1310/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds write
EUVDB-ID: #VU67687
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-33886
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing CATIA and PDF files. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAutodesk AutoCAD: 2022 - 2023.1
AutoCAD Architecture: 2022 - 2023.1
AutoCAD Electrical: 2022 - 2023.1
AutoCAD Map 3D: 2022 - 2023.1
AutoCAD Mechanical: 2022 - 2023.1
AutoCAD MEP: 2022 - 2023.1
AutoCAD Plant 3D: 2022 - 2023.1
AutoCAD LT: 2022.0 - 2023.1
Autodesk Civil 3D: 2022 - 2023.1
Advance Steel: 2022 - 2023.1
CPE2.3- cpe:2.3:a:autodesk:autodesk_autocad:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_autocad:2023.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_lt:2022.0:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_civil_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020
https://www.zerodayinitiative.com/advisories/ZDI-22-1318/
https://www.zerodayinitiative.com/advisories/ZDI-22-1317/
https://www.zerodayinitiative.com/advisories/ZDI-23-100/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Uncaught exception
EUVDB-ID: #VU67689
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-33887
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to an uncaught exception when handling PDF files. A remote attacker can create a specially crafted PDF file, trick the victim into opening it and crash the application.
Install updates from vendor's website.
Vulnerable software versionsAutodesk AutoCAD: 2022 - 2023.1
AutoCAD Architecture: 2022 - 2023.1
AutoCAD Electrical: 2022 - 2023.1
AutoCAD Map 3D: 2022 - 2023.1
AutoCAD Mechanical: 2022 - 2023.1
AutoCAD MEP: 2022 - 2023.1
AutoCAD Plant 3D: 2022 - 2023.1
AutoCAD LT: 2022.0 - 2023.1
Autodesk Civil 3D: 2022 - 2023.1
Advance Steel: 2022 - 2023.1
CPE2.3- cpe:2.3:a:autodesk:autodesk_autocad:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_autocad:2023.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_lt:2022.0:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_civil_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020
https://www.zerodayinitiative.com/advisories/ZDI-22-1306/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU67688
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-33888
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Dwg2Spd files. A remote attacker can create a specially crafted Dwg2Spd file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAutodesk AutoCAD: 2022 - 2023.1
AutoCAD Architecture: 2022 - 2023.1
AutoCAD Electrical: 2022 - 2023.1
AutoCAD Map 3D: 2022 - 2023.1
AutoCAD Mechanical: 2022 - 2023.1
AutoCAD MEP: 2022 - 2023.1
AutoCAD Plant 3D: 2022 - 2023.1
AutoCAD LT: 2022.0 - 2023.1
Autodesk Civil 3D: 2022 - 2023.1
Advance Steel: 2022 - 2023.1
CPE2.3- cpe:2.3:a:autodesk:autodesk_autocad:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_autocad:2023.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_architecture:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_electrical:2022.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_map_3d:2022.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mechanical:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_mep:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_plant_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autocad_lt:2022.0:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:autodesk_civil_3d:2022:*:*:*:*:*:*:*
- cpe:2.3:a:autodesk:advance_steel:2022:*:*:*:*:*:*:*
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0020
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
