CWE-547
Use of Hard-coded, Security-relevant Constants
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
CVE-2024-39888 (GCVE-0-2024-39888)
Vulnerability from cvelistv5
Published
2024-07-09 12:05
Modified
2025-08-27 20:42
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-547 - Use of Hard-coded, Security-relevant Constants
Summary
A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.
This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Mendix Encryption |
Version: V10.0.0 < V10.0.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:mendix_encryption:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mendix_encryption",
"vendor": "siemens",
"versions": [
{
"lessThan": "V10.0.2",
"status": "affected",
"version": "V10.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T13:06:11.608012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T20:42:58.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix Encryption",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V10.0.2",
"status": "affected",
"version": "V10.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix Encryption (All versions \u003e= V10.0.0 \u003c V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.\r\n\r\nThis could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-547",
"description": "CWE-547: Use of Hard-coded, Security-relevant Constants",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T12:05:35.455Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-39888",
"datePublished": "2024-07-09T12:05:35.455Z",
"dateReserved": "2024-07-02T14:00:15.330Z",
"dateUpdated": "2025-08-27T20:42:58.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49151 (GCVE-0-2025-49151)
Vulnerability from cvelistv5
Published
2025-06-25 16:32
Modified
2025-07-17 13:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-547 - Use of Hard-coded, Security-relevant Constants
Summary
The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T20:12:37.749818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T20:14:16.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NMP Web+",
"vendor": "Microsens",
"versions": [
{
"lessThanOrEqual": "Version 3.2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tomer Goldschmidt and Noam Moshe of Claroty Team82"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.\u003c/span\u003e"
}
],
"value": "The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-547",
"description": "CWE-547: Use of Hard-coded, Security-relevant Constants",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:43:28.516Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMICROSENS recommends users to update to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.microsens.com/support/downloads/nmp/\"\u003eNMP Web+ Version 3.3.0 for Windows and Linux\u003c/a\u003e\n\n\u003cbr\u003e"
}
],
"value": "MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux https://www.microsens.com/support/downloads/nmp/"
}
],
"source": {
"advisory": "ICSA-25-175-07",
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded, Security-relevant Constants in MICROSENS NMP Web+",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-49151",
"datePublished": "2025-06-25T16:32:30.492Z",
"dateReserved": "2025-06-02T17:06:38.139Z",
"dateUpdated": "2025-07-17T13:43:28.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Avoid using hard-coded constants. Configuration files offer a more flexible solution.
No CAPEC attack patterns related to this CWE.