BE-2022-0010: 3DS File Parsing Out-of-bounds Read Vulnerabilities in MicroStation and MicroStation-based applications
Bentley ID: BE-2022-0010 CVE ID: CVE-2022-35903 Severity: 3.3 (low) CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Publication date: 13th July 2022 Revision date: 18th July 2022
SummaryMicroStation and MicroStation-based applications may be affected by out-of-bounds read vulnerabilities when opening maliciously crafted 3DS files. Exploiting these vulnerabilities could lead to information disclosure.
DetailsUsing an affected version of MicroStation or MicroStation-based application to open a 3DS file containing maliciously crafted data can force an out-of-bounds read. Exploitation of these vulnerabilities within the parsing of 3DS files could enable an attacker to read information in the context of the current process.
Affected Versions of Products
|Product||Affected Version||Fixed Version|
|MicroStation||10.16.* and prior versions||10.17.0.* and more recent|
|Bentley View||10.16.* and prior version||10.17.0.* and more recent|
Recommended MitigationsBentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources.
AcknowledgementThanks to xina1i for discovering these vulnerabilities.
|13th July 2022||First version of the advisory|
|18th July 2022||Adding CVE number|