The Mendix SAML module insufficiently protects from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. Mendix has provided fix releases for the Mendix SAML module and recommends to update to the latest version. Note: For compatibility reasons, fix versions are introduced in two release steps: - The first fix versions address CVE-2022-37011. It removes the vulnerability, except when the not recommended, non default configuration option 'Allow Idp Initiated Authentication' is enabled. - The second fix versions address CVE-2022-44457, which removes the issue for the non default configuration as well.
| Vendor | Product | Versions |
|---|---|---|
| Mendix SAML (Mendix 7 compatible) | ||
| Mendix SAML (Mendix 8 compatible) | ||
| Mendix SAML (Mendix 9 compatible, New Track) | ||
| Mendix SAML (Mendix 9 compatible, Upgrade Track) |