Use-After-Free Remote Code Execution Vulnerability in Trimble SketchUp Viewer
CVE-2024-9728

7.8HIGH

Key Information:

Vendor: Trimble
Status: Sketchup Viewer
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-9728?

A vulnerability exists in Trimble SketchUp Viewer due to improper handling of SKP file parsing, which leads to a use-after-free condition. This flaw allows remote attackers to execute arbitrary code when a user opens a specially crafted SKP file or visits a malicious webpage. The vulnerability exploits the lack of checks for object validity before performing operations, enabling unauthorized manipulation within the current process. Mitigation requires users to avoid opening untrusted files and to apply security updates promptly. Refer to advisory ZDI-24-1484 for further details.

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1484/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024