CVE-2024-8374

Name of the Vulnerable Software and Affected Versions: UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2

Description: The issue arises from improper handling of the drop to buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop to buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This poses a significant risk as 3MF files are commonly shared via 3D model databases.

Recommendations: For UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2, consider disabling the /plugins/ThreeMFReader.py module until a patch is available to prevent code injection via the 3MF format reader. As a temporary workaround, avoid using the drop to buildplate property in 3MF files to minimize the risk of exploitation. Update to a version that includes the fix for this issue once it becomes available.