CVE-2021-34296: 
Siemens JT2Go vulnerability analysis and mitigation

A vulnerability was discovered in Siemens JT2Go affecting the parsing of BMP files. The vulnerability (CVE-2021-34296) was reported on March 10, 2021, and publicly disclosed on July 19, 2021. This issue affects JT2Go software and results from improper validation of user-supplied data during BMP file parsing (ZDI Advisory).

The vulnerability is an out-of-bounds read information disclosure flaw that exists within the parsing of BMP files. The specific issue stems from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) (ZDI Advisory).

When exploited, this vulnerability could allow an attacker to disclose sensitive information on affected installations of Siemens JT2Go. The attack requires user interaction as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Siemens has addressed this vulnerability through a coordinated disclosure process. The issue was reported to the vendor on March 10, 2021, and a fix was released as part of the coordinated public disclosure on July 19, 2021 (ZDI Advisory).