LDAP Injection Vulnerability in Mendix LDAP Module
Plan Patch7.4SSA-314390Jan 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Mendix LDAP module contains an LDAP injection vulnerability that allows an unauthenticated remote attacker to bypass username verification through specially crafted LDAP queries. This affects all versions prior to 1.1.2.
What this means
What could happen
An attacker could bypass username verification in LDAP authentication systems, potentially gaining unauthorized access to applications that rely on the Mendix LDAP module for user verification. This could compromise access control to critical operational applications.
Who's at risk
Organizations using Mendix applications with the LDAP authentication module for access control. This includes utility operators using LDAP-based systems for SCADA/HMI authentication, asset management platforms, or engineering workstation access control systems that depend on the Mendix LDAP module.
How it could be exploited
An attacker sends a specially crafted LDAP query through the username field that exploits LDAP injection logic flaws in the Mendix LDAP module. This allows bypassing the username verification check without valid credentials, gaining unauthorized access to the application.
Prerequisites
- Network access to the application using Mendix LDAP module
- Mendix LDAP module version < 1.1.2 deployed
- Application must process user input through vulnerable LDAP authentication
remotely exploitableno authentication requiredaffects access control systemslow complexity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix LDAP< V1.1.21.1.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix LDAP module to version 1.1.2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e7343f53-081c-4ab4-88ba-019b7405496e