Information Disclosure Vulnerability in Mendix

Monitor4SSA-338732Nov 9, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. A local attacker could read those documents by exploring the browser cache.

What this means

What could happen

A local attacker with access to a workstation could recover sensitive documents (engineering designs, operational procedures, configurations) from the browser cache of web applications built with vulnerable Mendix versions.

Who's at risk

This affects organizations using web-based Mendix applications for operational monitoring, control, or data management in water, electric, or other utilities. Specifically, applications that allow download or display of sensitive documents (such as SCADA configurations, process control parameters, or engineering documentation) through Mendix web portals built with vulnerable versions.

How it could be exploited

An attacker with local access to a workstation used to open or download files through a Mendix web application can examine the browser cache directory to recover unencrypted cached documents without authentication.

Prerequisites

Local access to a workstation running a browser that has accessed a Mendix application
Mendix application built with an affected version of Mendix Studio Pro
Browser cache not manually cleared

Local access requiredLow complexity exploitationAffects confidentiality of sensitive operational documentsLow EPSS score but proof-of-concept available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 7< V7.23.267.23.26

Mendix Applications using Mendix 8< V8.18.128.18.12

Mendix Applications using Mendix 9< V9.6.19.6.1 or V9.7.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDInstruct workstation users to clear browser cache after working with Mendix applications containing sensitive documents

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Studio Pro to version 7.23.26 or later, rebuild the application, and redeploy to production

HOTFIXUpdate Mendix Studio Pro to version 8.18.12 or later, rebuild the application, and redeploy to production

HOTFIXUpdate Mendix Studio Pro to version 9.6.1, 9.7.0, or later, rebuild the application, and redeploy to production

CVEs (1)

CVE-2021-42015

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8be9fbf8-94d9-4fd5-bfed-fc6fc6bb9d3d