VDB

ICSA-23-075-05

ICSA-23-075-05 PUBLISHED CVSS 9.100000381469727 CRITICAL

The Mendix SAML module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. Mendix has provided fix releases for the Mendix SAML module and recommends to update to the latest version. Note: For compatibility reasons, fixes for several versions of the Mendix SAML module were introduced in two release steps: - The first fix versions address CVE-2023-25957. It removes the vulnerability, except when the recommended, default configuration option 'Use Encryption' is disabled. - The second fix versions address CVE-2023-29129, which removes the issue for the non default configuration as well.

Risk Scores

CVSS v3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Affected Products

VendorProductVersions
Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track)
Mendix SAML (Mendix 8 compatible)
Mendix SAML (Mendix 9 latest compatible, Upgrade Track)
Mendix SAML (Mendix 7 compatible)
Mendix SAML (Mendix 9.6 compatible, New Track)
Mendix SAML (Mendix 9 latest compatible, New Track)
Mendix SAML (Mendix 9.12/9.18 compatible, New Track)
Mendix SAML (Mendix 9.6 compatible, Upgrade Track)

Timeline

  • Mar 14, 2023 CVE Published
  • May 6, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›