Luxion KeyShot ABC File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-11580

7.8HIGH

Key Information:

Vendor: Luxion
Status: Keyshot
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-11580?

The vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot by exploiting a flaw in the parsing of abc files. This issue arises due to inadequate validation of the length of user-supplied data before it is copied to a heap-based buffer. Consequently, an attacker can execute code in the context of the current process when the targeted user interacts with a malicious page or opens a compromised file. Proper security measures and updates are essential to mitigate this risk.

Affected Version(s)

KeyShot 2024 13.0.0 Build 92 4.10.171

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1611/

x_research-advisory

https://download.keyshot.com/cert/ksa-655925/ksa-655925.p...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 20, 2024