CVE-2023-25957 — Vulnetix

CVE-2023-25957 PUBLISHED CVSS 9.100000381469727 CRITICAL

A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled.

EPSS 0.06% · 18.8th percentile

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.06%

18.8th percentile

Affected Products

Vendor	Product	Versions
Siemens	Mendix SAML (Mendix 9 latest compatible, Upgrade Track)	All versions >= V3.1.8 < V3.3.0
Siemens	Mendix SAML (Mendix 7 compatible)	*
Siemens	Mendix SAML (Mendix 9 latest compatible, New Track)	All versions >= V3.1.9 < V3.3.1
Siemens	Mendix SAML (Mendix 9.6 compatible, New Track)	All versions >= V3.1.9 < V3.2.7
mendix	saml	3.1.9, 1.16.4, 2.2.0
Siemens	Mendix SAML (Mendix 9.6 compatible, Upgrade Track)	All versions >= V3.1.8 < V3.2.6
Siemens	Mendix SAML (Mendix 8 compatible)	*

Timeline

Mar 14, 2023 CVE Published
Mar 15, 2023 EPSS Score
Apr 23, 2023 EPSS Score
May 31, 2023 EPSS Score
Jul 9, 2023 EPSS Score
Aug 16, 2023 EPSS Score
Sep 24, 2023 EPSS Score
Nov 2, 2023 EPSS Score
Dec 8, 2023 PoC Published
Dec 10, 2023 EPSS Score
Jan 18, 2024 EPSS Score
Feb 26, 2024 EPSS Score

References

Open in Interactive Console →