VDB

CVE-2022-44457

CVE-2022-44457 PUBLISHED CVSS 9.800000190734863 CRITICAL

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML Module (Mendix 7 compatible) (All versions >= V1.17.0), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML Module (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML Module (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML Module (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML Module (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML Module (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration.

EPSS 0.46% · 64.4th percentile

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.46%
64.4th percentile

Affected Products

VendorProductVersions
SiemensMendix SAML (Mendix 8 compatible)All versions < V2.3.0, *
SiemensMendix SAML (Mendix 9 compatible, Upgrade Track)All versions >= V3.3.0 < V3.3.4, All versions < V3.3.0
SiemensMendix SAML (Mendix 7 compatible)*, *
SiemensMendix SAML (Mendix 9 compatible, New Track)*, All versions >= V3.3.1 < V3.3.5
mendixsaml3.3.0, 2.3.0, 0

Timeline

  • Nov 8, 2022 CVE Published
  • Nov 9, 2022 EPSS Score
  • Dec 22, 2022 EPSS Score
  • Feb 3, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 18, 2023 EPSS Score
  • Apr 30, 2023 EPSS Score
  • Jun 12, 2023 EPSS Score
  • Jul 25, 2023 EPSS Score
  • Sep 6, 2023 EPSS Score
  • Oct 19, 2023 EPSS Score
  • Dec 1, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›