CVE-2021-46611: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46611) affects Bentley MicroStation CONNECT version 10.16.0.80 and was discovered in the parsing of JP2 images. The vulnerability was disclosed on February 18, 2022, and allows remote attackers to disclose sensitive information. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (Zero Day Initiative, NVD).

The vulnerability stems from improper validation of user-supplied data during JP2 image parsing, which can result in a read past the end of an allocated buffer. The CVSS v3.1 base score is 3.3 (LOW) with a vector of CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (Zero Day Initiative, Bentley Advisory).

The vulnerability allows attackers to disclose sensitive information from affected installations. While the direct impact is limited to information disclosure, an attacker can potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (Zero Day Initiative).

Bentley has released version 10.16.02 and more recent versions to address this vulnerability. As a general best practice, it is recommended to only open JP2 files coming from trusted sources (Bentley Advisory).