Arbitrary File Disclosure Vulnerability in KeyShot Software by Luxion
CVE-2021-27492

5.5MEDIUM

Key Information:

Vendor
Luxion
Status
Datakit Software Libraries Embedded In Luxion Keyshot Software
Vendor
CVE Published:
27 May 2021

Summary

An arbitrary file disclosure vulnerability exists in the KeyShot software due to improper handling of specially crafted 3DXML files. The issue arises when applications utilizing Datakit Software libraries such as CatiaV5_3dRead and other modules in KeyShot versions up to 10.1 do not adequately restrict external DTD sources, allowing remote attackers to exploit this flaw and potentially access sensitive files on an affected system.

Affected Version(s)

Datakit Software libraries embedded in Luxion KeyShot software CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior

References

https://www.zerodayinitiative.com/advisories/ZDI-21-567/
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-11946...
x_refsource_CONFIRM
https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.