CVE-2022-42939: 
Autodesk Design Review vulnerability analysis and mitigation

A memory corruption vulnerability exists in Autodesk Design Review's DesignReview.exe application when processing maliciously crafted TGA files. The vulnerability was discovered in late May 2022 and publicly disclosed on October 21, 2022. This vulnerability affects multiple versions of Autodesk products including AutoCAD 2019-2023 and Design Review 2018 (Fortinet Labs, Vendor Advisory).

The vulnerability is caused by an out-of-bounds read memory access due to an improper bounds check when parsing TGA files. It has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked as CWE-787 (Out-of-bounds Write) (NVD).

When exploited in conjunction with other vulnerabilities, this vulnerability could lead to code execution in the context of the current process. The vulnerability affects confidentiality, integrity, and availability with high severity ratings for each (NVD).

Autodesk has released security patches for affected products. Users of Autodesk Design Review 2018 should install Hotfix 5 or later. Users of other affected products should update to the following versions: AutoCAD 2023.0.1, 2022.1.2, 2021.1.2, 2020.1.5, or 2019.1.4. Updates can be obtained through the Autodesk Desktop App or Accounts Portal (Vendor Advisory).

Fortinet's FortiGuard Labs, who discovered the vulnerability, released an IPS signature named Autodesk.Design.Review.CVE-2022-42939.Memory.Corruption to proactively protect their customers (Fortinet Labs).