Improper Access Control Vulnerability in Mendix Workflow Commons Module
Plan Patch8.1SSA-210822Dec 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
The Mendix Workflow Commons module contains an improper access control vulnerability (CWE-284) in how it handles authorization checks on certain entities. Authenticated users can bypass these checks to read or delete sensitive information they should not have access to. Siemens has released patched versions for all supported version lines (2.4.0, 2.1.4, and 2.3.2). Updates may slightly affect module functionality in specific use cases.
What this means
What could happen
An authenticated attacker could read or delete sensitive information stored in Mendix Workflow Commons module entities, potentially compromising data integrity or exposing confidential business process information.
Who's at risk
Organizations using Mendix low-code applications with the Workflow Commons module for business process automation. This affects users whose applications rely on workflow data access controls for security, particularly utilities and industries managing sensitive operational or business process information through Mendix-based systems.
How it could be exploited
An attacker with valid credentials to a Mendix application using the vulnerable Workflow Commons module can bypass access control checks on specific entities to read or delete data that should be restricted to them. The attacker makes direct API calls or application requests to access these protected entities without proper authorization validation.
Prerequisites
- Valid user credentials for a Mendix application
- Mendix application must be using Workflow Commons module (affected versions)
- Network access to the Mendix application
Remotely exploitableRequires authenticationImproper access control on data entitiesLow complexity attack
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix Workflow Commons< V2.4.02.4.0
Mendix Workflow Commons V2.1< V2.1.42.1.4
Mendix Workflow Commons V2.3< V2.3.22.3.2
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Workflow Commons
HOTFIXUpdate Mendix Workflow Commons to version 2.4.0 or later
HOTFIXUpdate Mendix Workflow Commons V2.1 line to version 2.1.4 or later
HOTFIXUpdate Mendix Workflow Commons V2.3 line to version 2.3.2 or later
All products
HOTFIXTest application functionality after update, as the fix may impact specific module behaviors
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e5dae330-04c3-407b-9626-6bce5f69b4c8