CVE-2022-28645: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2022-28645 is a vulnerability discovered in Bentley MicroStation CONNECT and Bentley View versions 10.16.02.* and prior versions. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on April 12, 2022. This vulnerability affects the DGN file parsing functionality in the software (Bentley Advisory, ZDI Advisory).

The vulnerability exists within the parsing of DGN files, where crafted data can trigger a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (Low) with the vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

The vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

Bentley has released version 10.16.03.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open DGN files coming from trusted sources (Bentley Advisory).