CVE-2022-42940: 
Autodesk Design Review vulnerability analysis and mitigation

A memory corruption vulnerability (CVE-2022-42940) was discovered in Autodesk Design Review's TGA file processing functionality. The vulnerability was disclosed on October 21, 2022, affecting DesignReview.exe application when processing maliciously crafted TGA files. The vulnerability impacts multiple versions of Autodesk Design Review, including versions 2018, 2017, 2013, 2012, and 2011 (NVD, Fortinet).

The vulnerability is characterized as an out-of-bounds read vulnerability that occurs during the processing of Truevision Targa (TGA) files. Specifically, the vulnerability is triggered when a malformed TGA file causes an out-of-bounds read memory access due to improper bounds checking. The vulnerability has been assigned a CVSS v3 Base Score of 7.8 High, with attack vector being Local, requiring user interaction, but no privileges (AttackerKB).

When exploited, this vulnerability could lead to memory corruption and potentially allow attackers to leak sensitive information within the context of the application. The vulnerability, when combined with other vulnerabilities, could potentially lead to code execution in the context of the current process (Autodesk Advisory).

Autodesk has released security patches to address this vulnerability. Users of Autodesk Design Review 2018 and earlier versions are strongly recommended to download and install the security hotfix (Hotfix 5) available through the Autodesk Knowledge Network. Users of Design Review 2013 or earlier versions need to upgrade to version 2018 or later (Autodesk Advisory).