Improper Authorization in Mendix Applications using Mendix 8 and Mendix Applications using Mendix 9

#VU58242 Improper Authorization in Mendix Applications using Mendix 8 and Mendix Applications using Mendix 9

Cybersecurity Help s.r.o.

Published: 2021-11-18

Vulnerability identifier: #VU58242

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-42026

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix Applications using Mendix 8
Client/Desktop applications / Other client software
Mendix Applications using Mendix 9
Client/Desktop applications / Other client software

Vendor:

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. A remote authenticated attacker can retrieve specific attributes of arbitrary objects, regardless of whether they have read access.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Mendix Studio Pro