Information Disclosure Vulnerability in Mendix
Monitor5.3SSA-414513Apr 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An information disclosure vulnerability in Mendix applications allows an attacker to read sensitive data without authentication or user interaction. The vulnerability is present in Mendix 7 versions prior to V7.23.31, Mendix 8 versions prior to V8.18.18, Mendix 9 versions prior to V9.11, and Mendix 9 V9.6 versions prior to V9.6.12.
What this means
What could happen
An attacker could read sensitive data from Mendix applications over the network without credentials. This could expose configuration details, process parameters, or other confidential information stored in or accessible through the application.
Who's at risk
Organizations running Mendix-based applications including industrial dashboards, SCADA frontends, or business process applications should prioritize this. Mendix is commonly used to build enterprise applications that may collect and expose operational data from connected systems.
How it could be exploited
An attacker with network access to the Mendix application can exploit this vulnerability remotely without authentication or user interaction. The specific data accessible and attack path depend on application configuration and what data is stored or exposed by the Mendix framework.
Prerequisites
- Network access to the affected Mendix application
- No authentication required
remotely exploitableno authentication requiredlow complexity
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7< V7.23.31V7.23.31
Mendix Applications using Mendix 8< V8.18.18V8.18.18
Mendix Applications using Mendix 9< V9.11V9.11
Mendix Applications using Mendix 9 (V9.6)< V9.6.12V9.11
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to Mendix applications using firewall rules if possible until patches can be deployed
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Applications using Mendix 9 (V9.6)
HOTFIXUpdate Mendix 9 V9.6 applications to version V9.6.12 or later and redeploy
All products
HOTFIXUpdate Mendix 7 applications to version V7.23.31 or later and redeploy
HOTFIXUpdate Mendix 8 applications to version V8.18.18 or later and redeploy
HOTFIXUpdate Mendix 9 applications to version V9.11 or later and redeploy
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e7edcf25-f18d-485f-81a5-79f059cc60a5