Information Disclosure Vulnerability in Mendix Database Replication Module

Monitor4.3SSA-919955May 11, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Mendix Database Replication module versions prior to 7.0.1 contain an information disclosure vulnerability that allows authenticated users to access sensitive data. The vulnerability is fixed in version 7.0.1 and later.

What this means

What could happen

An attacker with valid credentials could read sensitive data stored in the Mendix database replication module, such as configuration details or internal application information that should not be exposed.

Who's at risk

Organizations running Mendix low-code application development and deployment platforms with the Database Replication module enabled, particularly those using Mendix for process automation or data integration in industrial environments.

How it could be exploited

An attacker with valid login credentials accesses the Mendix Database Replication module over the network and retrieves sensitive information through the information disclosure vulnerability. This requires authentication but no additional complexity.

Prerequisites

Network access to the Mendix Database Replication module
Valid user credentials for the module
Module version older than 7.0.1

remotely exploitablerequires valid credentialsinformation disclosure

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Mendix Database Replication< V7.0.17.0.1

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Database Replication module to version 7.0.1 or later

CVEs (1)

CVE-2021-31341

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/85f440f4-9827-451e-85cc-4d5fc817e6bf