CVE-2021-46607: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46607) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability was discovered in the parsing of 3DS files and was disclosed on February 18, 2022. The issue stems from improper validation of user-supplied data, which can result in a read past the end of an allocated buffer (NVD, ZDI Advisory).

The vulnerability is classified as an out-of-bounds read vulnerability (CWE-125). It has been assigned a CVSS v3.1 base score of 3.3 (Low) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability requires user interaction to exploit, as the target must visit a malicious page or open a malicious file containing crafted 3DS file data (NVD).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.02 and more recent versions to address this vulnerability. Users are recommended to update to the latest version of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources (Bentley Advisory).