CVE-2024-9718: 
Trimble SketchUp Viewer vulnerability analysis and mitigation

Trimble SketchUp Viewer contains an out-of-bounds read vulnerability that could lead to remote code execution (CVE-2024-9718). The vulnerability was discovered in the SKP file parsing functionality and was reported on May 1, 2024. The issue affects SketchUp Viewer installations prior to version 2024.0.2 (ZDI Advisory).

The vulnerability exists within the parsing of SKP files and stems from insufficient validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-125 (Out-of-bounds Read) (NVD, ZDI Advisory).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the current process, potentially leading to complete system compromise. The vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page (ZDI Advisory).

The vulnerability has been fixed in SketchUp Viewer version 2024.0.2. Users are advised to upgrade to this version or later to mitigate the risk (ZDI Advisory).