CVE-2021-46572: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46572 affects Bentley MicroStation CONNECT version 10.16.0.80. This vulnerability allows remote attackers to execute arbitrary code when users interact with maliciously crafted JT files. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was assigned tracking number ZDI-CAN-15366 (Zero Day Initiative, Vendor Advisory).

The vulnerability exists within the parsing of JT files. Specifically, crafted data in a JT file can trigger a write past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is classified as CWE-787 (Out-of-bounds Write) (Zero Day Initiative).

An attacker can leverage this vulnerability to execute code in the context of the current process. The vulnerability requires user interaction, specifically opening a malicious file, but could lead to complete system compromise if successfully exploited (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation and MicroStation-based applications. As a general best practice, it is recommended to only open JT files from trusted sources (Vendor Advisory).