SSA-851884
The Mendix SAML module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. Mendix has provided fix releases for the Mendix SAML module and recommends to update to the latest version. Note: For compatibility reasons, fixes for several versions of the Mendix SAML module were introduced in two release steps: - The first fix versions address CVE-2023-25957. It removes the vulnerability, except when the recommended, default configuration option 'Use Encryption' is disabled. - The second fix versions address CVE-2023-29129, which removes the issue for the non default configuration as well.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mendix SAML (Mendix 9.6 compatible, Upgrade Track) | ||
| Mendix SAML (Mendix 9.6 compatible, New Track) | ||
| Mendix SAML (Mendix 7 compatible) | ||
| Mendix SAML (Mendix 9 latest compatible, New Track) | ||
| Mendix SAML (Mendix 9 latest compatible, Upgrade Track) | ||
| Mendix SAML (Mendix 9.12/9.18 compatible, New Track) | ||
| Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) | ||
| Mendix SAML (Mendix 8 compatible) |
Timeline
- CVE Published
References
- https://cert-portal.siemens.com/productcert/html/ssa-851884.html advisory
- https://cert-portal.siemens.com/productcert/csaf/ssa-851884.json advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf advisory
- https://cert-portal.siemens.com/productcert/txt/ssa-851884.txt advisory
- https://marketplace.mendix.com/link/component/1174 fix