macOS Autodesk Fusion 360 < 2.0.12888 XXE (adsk-sa-2022-0013)

medium Nessus Plugin ID 162497

Synopsis

Autodesk Fusion 360 installed on remote macOS or Mac OS X host is affected by an XML external entity vulnerability.

Description

The version of Autodesk Fusion 360 installed on the remote macOS or Mac OS X host is prior to 2.0.12888. It is, therefore, affected by an XML external entity (XXE) vulnerability that can cause a victim to perform arbitrary HTTP requests when parsing a malicious SVG file. An unauthenticated, remote attacker can exploit this to disclose sensitive information.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Autodesk Fusion 360 version 2.0.12888 or later.

See Also

https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013

Plugin Details

Severity: Medium

ID: 162497

File Name: macos_autodesk_fusion_360_adsk-sa-2022-0013.nasl

Version: 1.3

Type: local

Agent: macosx

Published: 6/23/2022

Updated: 6/27/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Low

Score: 1.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-27873

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: x-cpe:/a:autodesk:fusion_360

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version, installed_sw/Autodesk Fusion 360

Exploit Ease: No known exploits are available

Patch Publication Date: 6/13/2022

Vulnerability Publication Date: 6/13/2022

Reference Information

CVE: CVE-2022-27873

IAVB: 2022-B-0017