CVE-2022-28300: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28300 is a vulnerability discovered in Bentley MicroStation 10.16.02.034 CONNECT and related applications that allows remote attackers to execute arbitrary code. The vulnerability was identified on April 12, 2022, affecting the parsing of JP2 images. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (Zero Day Initiative, NVD).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The specific flaw exists within the parsing of JP2 images, where crafted data in a JP2 file can trigger a write past the end of an allocated buffer. The attack vector is local (AV:L), with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and the scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (Zero Day Initiative, Bentley Advisory).

If successfully exploited, this vulnerability allows attackers to execute code in the context of the current process, potentially leading to complete system compromise. The high CVSS score reflects the severe potential impact on system confidentiality, integrity, and availability (Zero Day Initiative).

Bentley has released version 10.16.03.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As an additional security measure, users should only open JP2 files from trusted sources (Bentley Advisory).