CVE-2024-37002 — Use of Uninitialized Variable in Advance Steel

CWE-457 — Use of Uninitialized Variable CWE-908 — Use of Uninitialized Resource CWE-863 — Incorrect Authorization3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 64.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Autodesk Advance Steel Autodesk Autocad Autodesk Autocad Architecture +6 more

Timeline

PublishedJun 25

Description

A maliciously crafted MODEL file, when parsed in ASMkern229A.dllthrough Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages18 packages

▶CVEListV5autodesk/autocad2025 — 2025.1+3

▶NVDautodesk/autocad2022 — 2022.1.5+3

▶CVEListV5autodesk/civil_3d2025 — 2025.1+3

▶NVDautodesk/civil_3d2022 — 2022.1.5+3

▶CVEListV5autodesk/autocad_mep2025 — 2025.1+3

🔴Vulnerability Details

CVEList

Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software↗2024-06-25

▶

GHSA

GHSA-354c-38ff-3cw6: A maliciously crafted MODEL file, when parsed in ASMkern229A↗2024-06-25

▶

External resources

NVD MITRE

Affected products9

Autodesk Advance Steel≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad Architecture≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad Electrical≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad MAP 3D≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad Mechanical≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad MEP≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Autocad Plant 3D≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Autodesk Civil 3D≥ 2025, < 2025.1≥ 2024, < 2024.1.4≥ 2023, < 2023.1.6+1 more

Disclosure

PublishedJun 25, 2024