CVE-2022-37864 : A vulnerability has been identified in Solid Edge (All Versions

A vulnerability has been identified in Solid Edge (All Versions < SE2022MP9). The affected application contains an out of bounds write past the fixed-length heap-based buffer while parsing specially crafted DWG files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-17627)

Published 2022-10-11 11:15:10

Updated 2022-10-12 13:47:38

Source Siemens AG

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionExecute code

Products affected by CVE-2022-37864

Siemens » Solid Edge » Version: Se2020
cpe:2.3:a:siemens:solid_edge:se2020:-:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack1
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack1:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack2
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack2:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack3
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack3:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack4
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack4:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack5
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack5:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack6
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack6:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack7
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack7:*:*:*:*:*:*
Matching versions
Siemens » Solid Edge » Version: Se2020 Update Maintenance Pack8
cpe:2.3:a:siemens:solid_edge:se2020:maintenance_pack8:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-37864

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-37864

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-37864

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Assigned by: productcert@siemens.com (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-37864

https://cert-portal.siemens.com/productcert/pdf/ssa-258115.pdf

Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-37864

Products affected by CVE-2022-37864

Exploit prediction scoring system (EPSS) score for CVE-2022-37864

CVSS scores for CVE-2022-37864

CWE ids for CVE-2022-37864

References for CVE-2022-37864