Products
Mendix Runtime
- V10 < V10.6.12, V10.12 < V10.12.2, V10 < V10.14.0 if basic auth used, V8 if basic auth used, V9 < V9.24.26 if basic auth used
Source
productcert@siemens.com
Tags
CVE-2023-49069 details
Last Modified : Sept. 10, 2024, 12:09 p.m.
Description
A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.
CVSS Score
| 1 | 2 | 3 | 4 | 5.3 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-204 | Observable Response Discrepancy | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
5.3
Exploitability Score
3.9
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
| URL | Source |
|---|---|
| https://cert-portal.siemens.com/productcert/html/ssa-097435.html | productcert@siemens.com |