Improper Privilege Management Vulnerability in Mendix Runtime

Monitor5.9SSA-540640Jun 11, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Apps built with Mendix Runtime >= V9.3.0 allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires guessing the ID of a target role that contains elevated access rights. Affected versions: Mendix 10 before 10.11.0, Mendix 10.6 before 10.6.9, and Mendix 9 from 9.3.0 through 9.24.21.

What this means

What could happen

An authorized user with role management capabilities could escalate privileges within the application, potentially gaining unauthorized access to sensitive functions or data that should be restricted to higher-privilege roles.

Who's at risk

Organizations operating Mendix applications built on affected runtime versions (Mendix 9, 10, and 10.6). This affects any business application using Mendix for process automation, data management, or control interfaces that relies on role-based access control.

How it could be exploited

An attacker with legitimate role-management access to a Mendix application would navigate to the role management interface and attempt to elevate a user's rights by modifying role assignments. The attacker must guess or know the ID of a target role containing elevated permissions to successfully escalate access.

Prerequisites

Legitimate user account with role management capabilities in the Mendix application
Knowledge or ability to guess the ID of a target role containing elevated access rights
Network access to the Mendix application's role management interface

Requires prior authentication and elevated permissionsLow exploit probability (0.2% EPSS)Affects access control mechanismsRequires attacker to guess role IDs

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 10<V10.11.010.11.0

Mendix Applications using Mendix 10 (V10.6)<V10.6.910.6.9

Mendix Applications using Mendix 9≥ V9.3.0<V9.24.229.24.22

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict role management permissions to a minimal set of trusted administrators

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Runtime to version 10.11.0 or later for Mendix 10 applications

HOTFIXUpdate Mendix Runtime to version 10.6.9 or later for Mendix 10.6 applications

HOTFIXUpdate Mendix Runtime to version 9.24.22 or later for Mendix 9 applications

CVEs (1)

CVE-2024-33500

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c245877e-e885-4be1-93f0-0b922adfcd2c