CVE-2022-29033: 
Siemens JT2Go vulnerability analysis and mitigation

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), and Teamcenter Visualization V14.0 (All versions < V14.0.0.1). The vulnerability exists in the CGMNISTLoader.dll library, which is susceptible to uninitialized pointer free while parsing specially crafted CGM files. This vulnerability was discovered in May 2022 and has been assigned CVE-2022-29033 (CISA, NVD).

The vulnerability is classified as CWE-824 (Access of Uninitialized Pointer) and has been assigned a CVSS v3.1 base score of 7.8 HIGH with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability specifically affects the CGMNISTLoader.dll library's handling of CGM files, where an uninitialized pointer free condition can occur during file parsing (CISA).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process, potentially leading to complete system compromise with the same privileges as the running application (CISA).

Siemens has released updates to address this vulnerability and recommends users update to the following versions: JT2GO: Update to v13.3.0.3, Teamcenter Visualization v13.3: Update to v13.3.0.3, and Teamcenter Visualization v14.0: Update to v14.0.0.1. As a workaround, users should avoid opening untrusted files from unknown sources in affected products (CISA).