Improper Access Control Vulnerability in Mendix

Low Risk3.1SSA-870917Apr 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Mendix allows authenticated users to extract information about the contents of protected database fields by sorting query results. An attacker with valid credentials could infer sensitive data values from protected fields without direct read access. Siemens has released patched versions for all affected Mendix versions (7.23.27, 8.18.14, 9.12.0, and 9.6.3 or later).

What this means

What could happen

An authenticated attacker could extract sensitive information from database fields that are supposed to be protected by sorting query results to infer the contents of those fields. This could expose plant process data, equipment parameters, or other business-critical information stored in your application database.

Who's at risk

Any water utility, electric utility, or industrial facility using Mendix applications (versions 7, 8, or 9 before the specified patch versions) to manage SCADA data, operational databases, or equipment configuration should assess their exposure. This affects especially applications used for remote parameter management, historian interfaces, or alarm database systems.

How it could be exploited

An attacker with valid credentials accesses your Mendix application and crafts database queries that use the sort functionality on protected fields. By observing the sort order or error responses, the attacker infers the values stored in those protected fields without direct access to read them.

Prerequisites

Valid user credentials to access the Mendix application
Network access to the application interface
Knowledge of which fields are protected

Requires valid user credentialsRequires high complexity attack (AC:H)Authentication requiredLow CVSS score (3.1)Affects information confidentiality only

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 7< V7.23.277.23.27

Mendix Applications using Mendix 8< V8.18.148.18.14

Mendix Applications using Mendix 9< V9.12.09.12.0

Mendix Applications using Mendix 9 (V9.6)< V9.6.39.12.0

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Mendix Applications using Mendix 9 (V9.6)

HOTFIXUpdate Mendix 9 applications to version 9.12.0 or later and redeploy (or 9.6.3+ for v9.6 deployments)

All products

HOTFIXUpdate Mendix 7 applications to version 7.23.27 or later and redeploy

HOTFIXUpdate Mendix 8 applications to version 8.18.14 or later and redeploy

Long-term hardening

0/1

HARDENINGReview database access controls and user role assignments to minimize the number of users with query access to sensitive fields

CVEs (1)

CVE-2022-25650

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/85d79b6e-9ebd-4556-b8cb-f4391712ac4b