CVE-2021-34887: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability was discovered in Bentley View 10.15.0.75 that allows remote attackers to disclose sensitive information through PDF file parsing. The vulnerability (CVE-2021-34887) was discovered by Mat Powell of Trend Micro Zero Day Initiative and disclosed on December 8, 2021. The issue results from an out-of-bounds read vulnerability during the parsing of PDF files (ZDI, Bentley Advisory).

The vulnerability is an out-of-bounds read issue that exists within the parsing of PDF files. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 score of 3.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N), indicating a relatively low severity (ZDI).

The vulnerability allows attackers to disclose sensitive information on affected installations of Bentley View. User interaction is required to exploit this vulnerability as the target must visit a malicious page or open a malicious file (ZDI).

Bentley has issued an update to correct this vulnerability. Users should update to version 10.16.02.* or more recent versions of Bentley View. As a general best practice, it is also recommended to only open PDF files coming from trusted sources (Bentley Advisory).