CVE-2021-46578: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46578 is a vulnerability discovered in Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability, specifically requiring the target to visit a malicious page or open a malicious file. The vulnerability was discovered within the parsing of JT files and was identified as ZDI-CAN-15372 (Zero Day Initiative, Vendor Advisory).

The vulnerability stems from the lack of validating the existence of an object prior to performing operations on the object, resulting in a use-after-free condition. The CVSS v3.1 base score is 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (Zero Day Initiative).

An attacker can leverage this vulnerability to execute code in the context of the current process. The successful exploitation could lead to complete compromise of the affected system, with high impacts on confidentiality, integrity, and availability (Zero Day Initiative).

Bentley has issued an update to address this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation and MicroStation-based applications. As a general best practice, it is recommended to only open JT files from trusted sources (Vendor Advisory).