Luxion KeyShot JT File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
CVE-2024-11581

7.8HIGH

Key Information:

Vendor: Luxion
Status: Keyshot
Vendor: CVE Published:; 22 November 2024

Summary

A vulnerability in Luxion KeyShot arises from insecure handling of jt file parsing, leading to the potential for remote code execution. This flaw occurs due to inadequate validation of user-supplied data, which may enable attackers to read beyond the allocated buffer. Exploitation requires user interaction, necessitating the opening of a malicious file or visiting a compromised web page. If successfully executed, an attacker could gain the ability to run arbitrary code in the context of the vulnerable process, compromising the integrity and security of the affected installations.

Affected Version(s)

KeyShot 2024 13.0.0 Build 92 4.10.171

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1612/

x_research-advisory

https://download.keyshot.com/cert/ksa-655925/ksa-655925.p...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 20, 2024