CVE-2021-27494

moderate-risk

Published 2021-05-27

Datakit Software libraries CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing STP files. This could result in a stack-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process.

Do I need to act?

0.62% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (4)

Crosscadware

Keyshot

Solid Edge Se2020 Firmware

Solid Edge Se2021 Firmware

Affected Vendors

Siemens Luxion Datakit

References (6)

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-564/

Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01

Third Party Advisory https://www.zerodayinitiative.com/advisories/ZDI-21-564/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 10/34 · Low