All the vulnerabilites related to Siemens - Mendix Runtime V10
cve-2023-49069
Vulnerability from cvelistv5
Published
2024-09-10 09:36
Modified
2024-10-10 14:48
Summary
A vulnerability has been identified in Mendix Runtime V10 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.32 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mendix",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "9.24.26",
                "status": "affected",
                "version": "8.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.6.12",
                "status": "affected",
                "version": "10.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.12.2",
                "status": "affected",
                "version": "10.7",
                "versionType": "custom"
              },
              {
                "lessThan": "10.14.0",
                "status": "affected",
                "version": "10.13",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-49069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T18:35:09.531765Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-10T18:39:46.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10.12",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10.6",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V8",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V8.18.32",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V9",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in Mendix Runtime V10 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions \u003c V8.18.32 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-10T14:48:31.631Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2023-49069",
    "datePublished": "2024-09-10T09:36:25.399Z",
    "dateReserved": "2023-11-21T11:51:19.666Z",
    "dateUpdated": "2024-10-10T14:48:31.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}