A vulnerability has been found in Ansys SpaceClaim 2022 R1 and classified as critical. This vulnerability affects an unknown code of the component JT File Parser. The manipulation with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ansys SpaceClaim 2022 R1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17045.

The weakness was published 09/15/2022 as ZDI-22-1193. The advisory is shared for download at zerodayinitiative.com. This vulnerability was named CVE-2022-40637 since 09/13/2022. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 10/18/2022).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Vendor

• Ansys

Name

• SpaceClaim

Version

• 2022 R1

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion