CVE-2021-46594: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46594) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on February 18, 2022. It involves a security flaw in the parsing of DWG files, where improper validation of user-supplied data can lead to sensitive information disclosure (Zero Day Initiative, Bentley Advisory).

The vulnerability stems from an out-of-bounds read issue within the DWG file parsing functionality. The specific flaw results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NVD, while Zero Day Initiative rated it as 3.3 LOW (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) (NVD).

The vulnerability can allow remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (Zero Day Initiative).

Bentley has issued an update to correct this vulnerability. The issue has been fixed in version 10.16.02 and later versions. Users are recommended to update to the latest version of the software. As a general best practice, it is also recommended to only open DWG files coming from trusted sources (Bentley Advisory).