Two Incorrect Authorization Vulnerabilities in Mendix
Monitor5.3SSA-779699Nov 9, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Applications built with Mendix Studio Pro versions 8 (before 8.18.13) and 9 (before 9.6.2) do not properly enforce access controls for client actions. Authenticated users can manipulate System.FileDocument objects (uploaded files) or retrieve the changedDate attribute of arbitrary data objects they should not have access to. Mendix has released patches for both major versions.
What this means
What could happen
An authenticated user could modify uploaded files or retrieve metadata (timestamps) from data objects they should not have access to, potentially exposing sensitive information or corrupting document records in your Mendix application.
Who's at risk
Organizations using Mendix-based business applications, particularly those handling document management or sensitive data through uploaded files and queryable object attributes. This affects any company that has deployed custom applications built with Mendix 8 or 9 in their current form.
How it could be exploited
An attacker with valid login credentials accesses your Mendix application and sends crafted requests to perform unauthorized read or write operations on file objects and other data attributes through the application's client interface. The vulnerability exists in how Mendix applications enforce access rules for these specific operations.
Prerequisites
- Valid user account (authenticated access to the application)
- Mendix application built with vulnerable versions (Mendix 8 before 8.18.13 or Mendix 9 before 9.6.2)
requires valid user accountmedium severity access control bypassfile manipulation possiblemetadata exposure possibleaffects data integrity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 8< V8.18.138.18.13
Mendix Applications using Mendix 9< V9.6.29.6.2 or V9.7.0
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix Studio Pro to version 8.18.13 or later (for Mendix 8 applications)
HOTFIXUpdate Mendix Studio Pro to version 9.6.2, 9.7.0, or later (for Mendix 9 applications)
HOTFIXRedeploy your Mendix application after updating the development platform
Long-term hardening
0/1HARDENINGAudit access control rules in your Mendix application to ensure file and object-level permissions are properly configured for your users and roles
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/182f9536-d02c-4af0-8d18-d29189988b09