CVE-2021-46564: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability identified as CVE-2021-46564 affects Bentley MicroStation CONNECT version 10.16.0.80. This vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required for exploitation, specifically requiring the target to visit a malicious page or open a malicious file. The vulnerability was discovered by researcher xina1i and was assigned the tracking number ZDI-CAN-15023 (Zero Day Initiative).

The vulnerability exists within the parsing of JT files. Specifically, crafted data in a JT file can trigger a write past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Zero Day Initiative, NVD).

An attacker can leverage this vulnerability to execute code in the context of the current process. The successful exploitation requires user interaction, as the target must open a malicious file or visit a malicious page (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should update to version 10.16.02 or later of the affected software. As a general best practice, it is recommended to only open JT files from trusted sources (Vendor Advisory).