CVE-2021-34899
Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. Crafted data in a JT file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14866.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in Bentley View's JT file parsing allows remote code execution when a user opens a malicious file.
Vulnerability
A heap buffer overflow vulnerability exists in Bentley View 10.15.0.75 during parsing of JT files. The flaw occurs when crafted data in a JT file triggers a write past the end of an allocated buffer. No special configuration is required; any user opening a malicious JT file is vulnerable. Affected versions include Bentley View 10.15.0.75 and potentially earlier or later versions as part of the MicroStation and MicroStation-based applications family identified in BE-2021-0005 [1][2].
Exploitation
An attacker must convince a user to open a maliciously crafted JT file (e.g., via a web page, email attachment, or file share). No authentication or prior access is needed. The exploit requires no special privileges; user interaction in the form of opening the file is the only trigger. The crafted JT file causes an out-of-bounds write, which can be leveraged to execute arbitrary code in the context of the current process [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the current Bentley View process. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 score is 7.8, reflecting high impact [1][2].
Mitigation
Bentley Systems released BE-2021-0005 on 2021-12-07 addressing this vulnerability. Users should update Bentley View and any MicroStation-based applications to the latest version provided by Bentley. No workarounds are offered by the vendor. The vulnerability is not listed in CISA KEV as of this writing [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =10.15.0.75
- Bentley/Viewv5Range: 10.15.0.75
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005mitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-1488/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.