CVE-2022-31257

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::

History

24 Jul 2023, 13:16

Type	Values Removed	Values Added
CWE	~~CWE-269~~	NVD-CWE-Other

Information

Published : 2022-07-12 10:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-31257

Mitre link : CVE-2022-31257

CVE.ORG link : CVE-2022-31257

JSON object : View

Products Affected

mendix

mendix

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2022-31257", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-07-12T10:15:10.653", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it\u2019s possible to change that user\u2019s password bypassing password validations within a Mendix application. This could allow to set weak passwords."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en las aplicaciones de Mendix usando Mendix 7 (Todas las versiones anteriores a V7.23.31), las aplicaciones de Mendix usando Mendix 8 (Todas las versiones anteriores a V8.18.18), las aplicaciones de Mendix usando Mendix 9 (Todas las versiones anteriores a V9.14.0), las aplicaciones de Mendix usando Mendix 9 (versi\u00f3n V9.12) (Todas las versiones anteriores a V9.12.2), las aplicaciones de Mendix usando Mendix 9 (versi\u00f3n V9.6) (Todas las versiones anteriores a V9.6.12). En caso de acceder a una sesi\u00f3n de usuario activa en una aplicaci\u00f3n construida con una versi\u00f3n afectada, es posible cambiar la contrase\u00f1a de ese usuario omitiendo las comprobaciones de contrase\u00f1a dentro de una aplicaci\u00f3n Mendix. Esto podr\u00eda permitir establecer contrase\u00f1as d\u00e9biles"}], "lastModified": "2023-07-24T13:16:39.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A25B23A6-DFBF-46B4-BF0C-5819189EB009", "versionEndExcluding": "7.32.31", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8471E2B7-B69D-4D3F-AA7C-B953F28E6D6E", "versionEndExcluding": "8.18.18", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB45CC2F-34B6-4824-8DFC-E571C3F1E873", "versionEndExcluding": "9.6.12", "versionStartIncluding": "9.6.0"}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11365A01-2860-4627-8947-1FDB3DC0C454", "versionEndExcluding": "9.12.2", "versionStartIncluding": "9.12.0"}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6942480-6F30-4C74-81DB-ED498BCA42F2", "versionEndExcluding": "9.14.0", "versionStartIncluding": "9.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}