CVE-2024-7508: 
Trimble SketchUp Viewer vulnerability analysis and mitigation

Trimble SketchUp Viewer contains a heap-based buffer overflow vulnerability (CVE-2024-7508) that was discovered on December 21, 2022, and publicly disclosed on August 5, 2024. The vulnerability affects SketchUp Viewer installations and involves improper validation during SKP file parsing. This security flaw requires user interaction, specifically opening a malicious file or visiting a malicious page, to be exploited (Zero Day Initiative).

The vulnerability stems from insufficient validation of user-supplied data length before copying it to a fixed-length heap-based buffer during SKP file parsing. It has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) by NIST and CWE-122 (Heap-based Buffer Overflow) by Zero Day Initiative (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected SketchUp Viewer installations. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (Zero Day Initiative).

The vulnerability has been fixed in SketchUp Version 24.0.553. Users are advised to update to this version or later to mitigate the risk (Zero Day Initiative).