Siemens Mendix
Monitor4ICS-CERT ICSA-21-315-04Nov 9, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when opened or downloaded through a browser. A local attacker could read these cached documents by accessing the browser cache. The vulnerability affects Mendix 7 (before v7.23.26), Mendix 8 (before v8.18.12), and Mendix 9 (before v9.6.1 or v9.7.0).
What this means
What could happen
A local attacker with access to a workstation running a Mendix application could read sensitive files from the browser cache after they are opened or downloaded. This affects application servers and development workstations running affected Mendix versions.
Who's at risk
Organizations running web applications built with Siemens Mendix Studio Pro versions 7, 8, or 9 (below the patched versions). This affects development teams, application operators, and any staff accessing deployed Mendix applications through a browser. Primary concern is for applications handling sensitive documents or business-critical data.
How it could be exploited
An attacker with local access to a machine running an affected Mendix application examines the browser cache directory to recover cached file documents that were opened or downloaded through the application. No special technical skill is required—the files are left unprotected in standard browser cache locations.
Prerequisites
- Local access to the workstation or server running the Mendix application
- Browser cache must not have been cleared after file access
- Access to file system or browser cache directory
Local access only (not remotely exploitable)No authentication requiredLow complexity attackAffects confidentiality of cached filesRequires local file system access or browser cache access
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.267.23.26
Mendix Applications using Mendix 8<V8.18.128.18.12
Mendix Applications using Mendix 9<V9.6.19.6.1 or V9.7.0
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDAvoid using file documents containing sensitive information in affected Mendix versions until patched
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Mendix 7 applications to version 7.23.26 or later and redeploy
HOTFIXUpgrade Mendix 8 applications to version 8.18.12 or later and redeploy
HOTFIXUpgrade Mendix 9 applications to version 9.6.1 or 9.7.0 or later and redeploy
Long-term hardening
0/1HARDENINGRestrict local access to workstations running Mendix applications through physical security or access controls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a047ffb1-9a8a-41de-b77b-7a8134273ad6