ICSA-22-258-04
The Mendix SAML module insufficiently protects from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. Mendix has provided fix releases for the Mendix SAML module and recommends to update to the latest version. Note: For compatibility reasons, fix versions are introduced in two release steps: - The first fix versions address CVE-2022-37011. It removes the vulnerability, except when the not recommended, non default configuration option 'Allow Idp Initiated Authentication' is enabled. - The second fix versions address CVE-2022-44457, which removes the issue for the non default configuration as well.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mendix SAML (Mendix 9 compatible, Upgrade Track) | ||
| Mendix SAML (Mendix 9 compatible, New Track) | ||
| Mendix SAML (Mendix 8 compatible) | ||
| Mendix SAML (Mendix 7 compatible) |
Timeline
- Sep 13, 2022 CVE Published
- Dec 13, 2022 CVE Updated
References
- https://cert-portal.siemens.com/productcert/csaf/ssa-638652.json advisory
- https://cert-portal.siemens.com/productcert/txt/ssa-638652.txt advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-258-04.json advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-22-258-04 advisory
- https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.cisa.gov/topics/industrial-control-systems url
- https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
- https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B url
- https://marketplace.mendix.com/link/component/1174/ fix