CVE-2022-27873 - OpenCVE

An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Autodesk	Fusion 360

Configuration 1 [-]

cpe:2.3:a:autodesk:fusion_360:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: autodesk

Published: 2022-07-29T15:17:03

Updated: 2022-07-29T15:17:03

Reserved: 2022-03-25T00:00:00

Link: CVE-2022-27873

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-29T16:15:08.827

Modified: 2022-08-05T18:49:42.793

Link: CVE-2022-27873

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "Fusion360", "vendor": "n/a", "versions": [{"status": "affected", "version": "2.0.12887 and prior"}]}], "descriptions": [{"lang": "en", "value": "An attacker can force the victim\u2019s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360\u2019s document parser. The vulnerability exists in the application\u2019s \u2018Insert SVG\u2019 procedure. An attacker can also leverage this vulnerability to obtain victim\u2019s public IP and possibly other sensitive information."}], "problemTypes": [{"descriptions": [{"description": "XML External Entities (XXE)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-29T15:17:03", "orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@autodesk.com", "ID": "CVE-2022-27873", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Fusion360", "version": {"version_data": [{"version_value": "2.0.12887 and prior"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker can force the victim\u2019s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360\u2019s document parser. The vulnerability exists in the application\u2019s \u2018Insert SVG\u2019 procedure. An attacker can also leverage this vulnerability to obtain victim\u2019s public IP and possibly other sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XML External Entities (XXE)"}]}]}, "references": {"reference_data": [{"name": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013", "refsource": "MISC", "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013"}]}}}}, "cveMetadata": {"assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "assignerShortName": "autodesk", "cveId": "CVE-2022-27873", "datePublished": "2022-07-29T15:17:03", "dateReserved": "2022-03-25T00:00:00", "dateUpdated": "2022-07-29T15:17:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}