OTPulse
FeedAboutContact

Improper Access Control Vulnerability in Mendix

Plan Patch7.7SSA-415938Mar 8, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Mendix Studio Pro allows an authenticated user to retrieve job execution status information belonging to other users due to improper access control. The vulnerability enables information disclosure where a user with valid credentials can view job runs initiated by other users in certain cases.

What this means
What could happen
An attacker with login credentials could retrieve job execution status information belonging to other users, potentially exposing operational data or process details that should remain confidential.
Who's at risk
Organizations using Mendix 7 (versions before 7.23.29) to build industrial applications or operational dashboards where job status is sensitive. This affects any enterprise application running on Mendix that handles background jobs or scheduled processes.
How it could be exploited
An authenticated user logs into a Mendix application and makes requests to view job status. The application fails to properly check that the user should only see their own jobs, allowing them to retrieve job information created by other users.
Prerequisites
  • Valid login credentials to the Mendix application
  • Network access to the Mendix application web interface
  • Knowledge of another user's job ID or ability to enumerate job IDs
Requires authenticationAffects data confidentialityMendix is used in OT/IT environments for supervisory applicationsAccess control weakness
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7< V7.23.297.23.29 or later
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGReview access logs to identify if job status information was accessed by unauthorized users
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Project to version 7.23.29 or later
HOTFIXRedeploy the updated Mendix application to production
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/81a4924e-2b3a-41d3-a2c9-97d7e71c5883