CVE-2021-34888
Description
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14841.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bentley View 10.15.0.75 contains an out-of-bounds read vulnerability in JT file parsing, potentially leading to information disclosure and code execution.
Vulnerability
CVE-2021-34888 is an out-of-bounds read vulnerability in the JT file parsing component of Bentley View 10.15.0.75 (and possibly earlier versions). The issue stems from the lack of proper validation of user-supplied data while parsing JT files, which can result in a read past the end of an allocated buffer [1][2]. The vulnerability affects Bentley View and other MicroStation-based applications as per the vendor advisory [1]. The specific flaw exists within the parsing of JT files and was assigned ZDI-CAN-14841 [2].
Exploitation
Exploitation requires user interaction; the target must visit a malicious page or open a malicious JT file [2]. An attacker can craft a JT file that triggers the out-of-bounds read when opened in Bentley View. No authentication or special privileges are needed beyond enticing the user to open the file. The attack vector is local (AV:L) and the complexity is low (AC:L) [1][2]. According to the vendor advisory, the CVSS v3.1 score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1].
Impact
Successful exploitation allows an attacker to read sensitive information beyond the bounds of an allocated buffer. This information disclosure could be used in conjunction with other vulnerabilities to achieve arbitrary code execution in the context of the current process [1][2]. The impact on confidentiality, integrity, and availability is high according to the vendor CVSS score [1]. The ZDI advisory assigns a lower CVSS score of 3.3 (confidentiality only) but notes the potential for code execution when combined with other flaws [2].
Mitigation
Bentley released an advisory (BE-2021-0005) on December 7, 2021, addressing this vulnerability and recommending users update to the latest version of MicroStation or MicroStation-based applications [1]. The specific fixed version for Bentley View is not explicitly stated in the provided references, but the vendor advisory covers multiple CVEs and suggests applying the latest update. Users should upgrade to the most recent build of Bentley View or MicroStation as per Bentley's guidance [1]. If updating is not possible, avoid opening JT files from untrusted sources.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 10.15.0.75
- Bentley/Viewv5Range: 10.15.0.75
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-1477/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.