Remote Code Execution Vulnerability in Trimble SketchUp Viewer during File Parsing
CVE-2024-9722

7.8HIGH

Key Information:

Vendor: Trimble
Status: Sketchup Viewer
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-9722?

A vulnerability exists within the Trimble SketchUp Viewer that allows remote attackers to exploit the parsing of SKP files, leading to the potential execution of arbitrary code. This vulnerability is facilitated by a use-after-free flaw, where the application fails to validate the existence of an object before performing operations on it. Attackers can leverage this issue by tricking users into opening specially crafted files or visiting deceptive web pages, thereby executing malicious code in the context of the affected application. This presents significant risks to the integrity and confidentiality of users' systems.

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1481/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024