CVE-2021-46641: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46641) affects Bentley View version 10.15.0.75. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022. The flaw exists within the parsing of DGN files, where crafted data in a DNG file can trigger a read past the end of an allocated buffer (Zero Day Initiative, Vendor Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw involves an out-of-bounds read vulnerability in the DGN file parsing functionality. The issue stems from improper validation of user-supplied data, which can result in reading beyond allocated buffer boundaries (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically that the target must visit a malicious page or open a malicious file (Zero Day Initiative).

Bentley has issued an update to address this vulnerability. Users should upgrade to version 10.16.02 or later of the affected software. As a general best practice, it is recommended to only open DGN files from trusted sources (Vendor Advisory).