#VU94196 Use of Hard-coded, Security-relevant Constants in Mendix Encryption - CVE-2024-39888

Cybersecurity Help s.r.o.

Published: 2024-07-12

Vulnerability identifier: #VU94196

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39888

CWE-ID: CWE-547

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix Encryption
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected module defines a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mendix Encryption: 10.0.0

External links
https://cert-portal.siemens.com/productcert/html/ssa-998949.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Siemens Mendix Encryption Module