Remote Code Execution Vulnerability in Bentley View
CVE-2023-44430

7.8HIGH

Key Information:

Vendor: Bentley
Status: View
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability exists within the Bentley View application related to the parsing of SKP files, which may allow remote attackers to execute arbitrary code. This flaw stems from inadequate validation of object existence before operations are performed, leading to a use-after-free condition. To exploit this vulnerability, an attacker must trick a user into opening a specially crafted file or visiting a malicious webpage, thereby executing code within the current process context. Users of Bentley View are strongly advised to apply the recommended security updates to mitigate potential risks.

Affected Version(s)

View 10.17.0.34

References

https://www.zerodayinitiative.com/advisories/ZDI-24-019/

x_research-advisory

https://www.bentley.com/advisories/be-2022-0019/

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 28, 2023

Collectors

NVD DatabaseMitre Database