CVE-2021-46651: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46651) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability allows remote attackers to disclose sensitive information through improper validation of user-supplied data when parsing DGN files. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file (ZDI Advisory, Bentley Advisory).

The specific flaw exists within the parsing of DGN files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NIST NVD, while Zero Day Initiative rates it as 3.3 LOW (Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) (NVD, ZDI Advisory).

An attacker can leverage this vulnerability to read sensitive information past the end of an allocated buffer. This information disclosure can potentially be used in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.02 and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open DGN files coming from trusted sources (Bentley Advisory).