Remote Code Execution Vulnerability in Trimble SketchUp SKP File Parsing
CVE-2024-9712

7.8HIGH

Key Information:

Vendor: Trimble
Status: Sketchup
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-9712?

A vulnerability in Trimble SketchUp arises from improper handling of SKP file parsing, which can lead to a use-after-free condition. This flaw enables remote attackers to exploit the software by enticing a user to open a specially crafted SKP file or visit a malicious webpage. Once triggered, the vulnerability allows the execution of arbitrary code within the context of the affected application, potentially compromising user systems. The risk is heightened by the requirement for user interaction, necessitating awareness and caution when dealing with untrusted files or links.

Affected Version(s)

SketchUp 23.1.340

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1473/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024

CVE-2024-9712 Data

JSON