Buffer overflow in LibreCAD

#VU63898 Buffer overflow in LibreCAD

Published: 2022-06-01 | Updated: 2022-12-19

Vulnerability identifier: #VU63898

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-45341

CWE-ID: CWE-120

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LibreCAD
Universal components / Libraries / Libraries used by multiple products

Vendor: LibreCad

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to a boundary error in the CDataMoji of the jwwlib component. A remote attacker can trick the victim into opening a specially crafted JWW document, trigger heap buffer overflow, and execute arbitrary code on the target system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

LibreCAD: 1.0.0 - 2.2.0 rc3

External links
http://github.com/LibreCAD/LibreCAD/issues/1462
http://github.com/LibreCAD/LibreCAD/commit/d9dcb27e47f9545cac3bccdca2d4f9c8754ff801

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for LibreCAD

Ubuntu update for librecad

Debian update for librecad

Multiple vulnerabilities in LibreCAD