CVE-2021-46580: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46580 affects Bentley MicroStation CONNECT version 10.16.0.80. This vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability, specifically the target must visit a malicious page or open a malicious file. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022 (Zero Day Initiative, Vendor Advisory).

The specific flaw exists within the parsing of JT files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability is classified as a Use-After-Free vulnerability (CWE-416). The CVSS v3.1 base score is 7.8 HIGH with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Zero Day Initiative).

An attacker can leverage this vulnerability to execute code in the context of the current process. The vulnerability affects confidentiality, integrity, and availability of the system, with potential high impact on all three aspects as indicated by the CVSS score (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open JT files coming from trusted sources (Vendor Advisory).