CVE-2022-33890: 
Autodesk Design Review vulnerability analysis and mitigation

CVE-2022-33890 is a memory corruption vulnerability discovered in Autodesk Design Review's DesignReview.exe application. The vulnerability was identified in 2022 and affects multiple versions of Autodesk Design Review up to version 2018 Hotfix 5. The vulnerability occurs when processing maliciously crafted PCT (Macintosh Pict) or DWF (Design Web Format) files (Vendor Advisory).

The vulnerability is characterized by a memory corruption condition triggered by read access violation when processing PCT or DWF files. It has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (NVD).

When exploited, this vulnerability could lead to code execution in the context of the current process, particularly when combined with other vulnerabilities. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (Vendor Advisory).

Autodesk has released security patches to address this vulnerability. Users of Autodesk Design Review 2018 and earlier versions are strongly recommended to download and install the security hotfix that upgrades to version 2018 Hotfix 7. Users of Design Review 2013 or earlier versions need to upgrade to version 2018 or later (Vendor Advisory).

The vulnerability was discovered and reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs. Fortinet has released an IPS signature named Autodesk.Design.Review.CVE-2022-33890.Remote.Code.Execution to protect their customers from this vulnerability (FortiGuard Labs).