CVE-2022-41198 SketchUp files can be memory-compromised and RCE can be triggered when victims open them.

This vulnerability is tracked as a critical vulnerability in National Vulnerability Database and has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2

Summary

This vulnerability is tracked as a critical vulnerability in National Vulnerability Database and has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2. In addition to this, due to lack of secure connections and cross-site scripting vulnerabilities, even if a victim opens a SketchUp file in a trusted environment, it is possible that a Remote Code Execution can be triggered. This issue has been assigned the Common Vulnerability Scoring System rating of 7.2

SketchUp and the SketchUp Browser (SketchViewer)

In order to mitigate this issue, users should ensure that they are not connecting to the SketchUp service using a sketchup.com account. If they are using a sketch.js plug-in in their browser, make sure that it is updated at all times.
Additionally, as more information becomes available on how this vulnerability can be exploited, we will provide further recommendations to reduce the risk of exploitation.

Timeline

Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 20:18:00 UTC

References

• https://launchpad.support.sap.com/#/notes/3245928
• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41198