CVE-2021-46587: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46587 is a vulnerability discovered in Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files and results from the lack of validating the existence of an object prior to performing operations on the object (NVD, ZDI Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as a Use-After-Free (CWE-416) vulnerability. The flaw specifically occurs during the parsing of 3DS files, where the application fails to validate the existence of an object before performing operations on it (NVD).

An attacker can leverage this vulnerability to execute code in the context of the current process. The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by the CVSS scoring. The high severity rating suggests significant potential impact if successfully exploited (ZDI Advisory).

Bentley has issued an update to correct this vulnerability. The fix is available in version 10.16.02 and more recent versions of both MicroStation and Bentley View. As a general best practice, it is recommended to only open 3DS files coming from trusted sources (Bentley Advisory).