CVE-2024-39888

A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-998949.html
https://cert-portal.siemens.com/productcert/html/ssa-998949.html

Configurations

No configuration.

History

21 Nov 2024, 09:28

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en Mendix Encryption (Todas las versiones >= V10.0.0 < V10.0.2). Las versiones afectadas del módulo definen un valor predeterminado codificado específico para la constante EncryptionKey, que se utiliza en proyectos donde no se especificó ninguna EncryptionKey individual. Esto podría permitir a un atacante descifrar cualquier dato cifrado del proyecto, ya que la clave de cifrado predeterminada puede considerarse comprometida.
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-998949.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-998949.html -

09 Jul 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-09 12:15

Updated : 2024-11-21 09:28

NVD link : CVE-2024-39888

Mitre link : CVE-2024-39888

CVE.ORG link : CVE-2024-39888

JSON object : View

Products Affected

No product.

CWE

CWE-547

Use of Hard-coded, Security-relevant Constants

{"id": "CVE-2024-39888", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-09T12:15:20.283", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html", "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-547"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.\r\n\r\nThis could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Mendix Encryption (Todas las versiones >= V10.0.0 < V10.0.2). Las versiones afectadas del m\u00f3dulo definen un valor predeterminado codificado espec\u00edfico para la constante EncryptionKey, que se utiliza en proyectos donde no se especific\u00f3 ninguna EncryptionKey individual. Esto podr\u00eda permitir a un atacante descifrar cualquier dato cifrado del proyecto, ya que la clave de cifrado predeterminada puede considerarse comprometida."}], "lastModified": "2024-11-21T09:28:30.540", "sourceIdentifier": "productcert@siemens.com"}