CVE-2021-46595: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability in Bentley MicroStation CONNECT 10.16.0.80 (CVE-2021-46595) was discovered that allows remote attackers to disclose sensitive information. The vulnerability was identified in the parsing of 3DS files and requires user interaction, specifically opening a malicious file or visiting a malicious page (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of 3DS files, resulting in an out-of-bounds read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NIST with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while Zero Day Initiative assigned a score of 3.3 (LOW) with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability can lead to the disclosure of sensitive information. When combined with other vulnerabilities, an attacker could potentially execute arbitrary code in the context of the current process (ZDI Advisory, Bentley Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources (Bentley Advisory).