CVE-2024-48423: 
Python vulnerability analysis and mitigation

An issue in assimp v.5.4.3 was discovered that allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library. The vulnerability was identified and reported on September 20, 2024, and was assigned CVE-2024-48423 (MITRE, NVD).

The vulnerability is classified as a heap-use-after-free (UAF) issue occurring in the CallbackToLogRedirector function in Assimp.cpp:359. The bug manifests when a previously freed memory region is accessed during the logging process, specifically when attempting to access a log stream after it has been freed. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, GitHub Issue).

The vulnerability could lead to memory corruption due to the reuse of freed memory, potentially resulting in unexpected behavior, crashes, or arbitrary code execution in contexts that rely on Assimp for parsing and importing 3D models. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (GitHub Issue).

As of the current date, there is no official patch available for this vulnerability. The issue affects assimp version 5.4.3 and potentially earlier versions. Maintainers are advised to address this vulnerability by ensuring proper memory management, particularly by avoiding the use of memory after it has been freed and ensuring that log streams are properly detached before being accessed (Debian Security Tracker).