CVE-2021-46589: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46589) affects Bentley MicroStation CONNECT 10.16.0.80 and was discovered through the Zero Day Initiative program. The vulnerability was disclosed on January 31st, 2022, and involves an out-of-bounds read vulnerability in the DGN file parsing functionality (Vendor Advisory, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of DGN files, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The flaw is tracked as ZDI-CAN-15383 (ZDI Advisory).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open DGN files coming from trusted sources (Vendor Advisory).