CNVD-2023-17659 — Vulnetix

CNVD-2023-17659 PUBLISHED CVSS 9.100000381469727 CRITICAL

Mendix SAML模块允许在云应用程序中使用SAML对用户进行身份验证。该模块可以与任何支持SAML2.0或Shibboleth的身份提供程序通信。 Siemens Mendix SAML Module存在认证绕过漏洞，该漏洞源于未充分验证SAML断言，攻击者可利用该漏洞绕过身份验证并访问应用程序。

Risk Scores

CVSS 3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Affected Products

Vendor	Product	Versions
Siemens	Mendix SAML (Mendix 8 compatible)	*
Siemens	Mendix SAML (Mendix 9.6 compatible, Upgrade Track)	*
Siemens	Mendix SAML (Mendix 9 latest compatible, New Track)	All versions >= V3.1.9 < V3.3.1
Siemens	Mendix SAML (Mendix 9 latest compatible, Upgrade Track)	All versions >= V3.1.8 < V3.3.0
Siemens	Mendix SAML (Mendix 7 compatible)	All versions >= V1.16.4 < V1.17.3
Siemens	Mendix SAML (Mendix 9.6 compatible, New Track)	All versions >= V3.1.9 < V3.2.7

Exploit Intelligence

https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf (circl)
CIRCL seen: CVE-2023-25957 (circl-sighting)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
Linux_Exploit_CVE_2021_4034.yar (github-yara)
CVE-2022-2588.yara (github-yara)
CVE-2022-2588.yara (github-yara)

…and 18 more exploits

Timeline

Mar 14, 2023 CVE Published
Mar 30, 2023 PoC Published
Dec 8, 2023 PoC Published
Mar 1, 2024 PoC Published
Jul 14, 2024 PoC Published
Jul 17, 2024 PoC Published
Oct 31, 2024 PoC Published
Dec 27, 2024 PoC Published
Feb 12, 2025 PoC Published
Feb 13, 2025 PoC Published
Mar 28, 2025 PoC Published
Sep 19, 2025 PoC Published

References

https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf url

Open in Interactive Console →