Vulnerabilites related to Siemens - Mendix Applications using Mendix 10 (V10.6)
cve-2024-33500
Vulnerability from cvelistv5
Published
2024-06-11 11:15
Modified
2024-09-06 17:00
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.
References
https://cert-portal.siemens.com/productcert/html/ssa-540640.html
Impacted products
Vendor Product Version
Siemens Mendix Applications using Mendix 10 Version: 0   < V10.11.0
 Create a notification for this product.
   Siemens Mendix Applications using Mendix 10 (V10.6) Version: 0   < V10.6.9
 Create a notification for this product.
   Siemens Mendix Applications using Mendix 9 Version: V9.3.0   < V9.24.22
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T02:36:03.343Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/html/ssa-540640.html",
               },
            ],
            title: "CVE Program Container",
         },
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "mendix",
                  vendor: "siemens",
                  versions: [
                     {
                        lessThan: "10.11.0",
                        status: "affected",
                        version: "10..0",
                        versionType: "custom",
                     },
                     {
                        lessThan: "10.6.9",
                        status: "affected",
                        version: "10.6",
                        versionType: "custom",
                     },
                     {
                        lessThan: "9.24.22",
                        status: "affected",
                        version: "9.3.0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-33500",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-20T16:28:31.756301Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-06T17:00:43.293Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unknown",
               product: "Mendix Applications using Mendix 10",
               vendor: "Siemens",
               versions: [
                  {
                     lessThan: "V10.11.0",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unknown",
               product: "Mendix Applications using Mendix 10 (V10.6)",
               vendor: "Siemens",
               versions: [
                  {
                     lessThan: "V10.6.9",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unknown",
               product: "Mendix Applications using Mendix 9",
               vendor: "Siemens",
               versions: [
                  {
                     lessThan: "V9.24.22",
                     status: "affected",
                     version: "V9.3.0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            {
               cvssV4_0: {
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                  version: "4.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-269",
                     description: "CWE-269: Improper Privilege Management",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-06-11T14:20:45.931Z",
            orgId: "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
            shortName: "siemens",
         },
         references: [
            {
               url: "https://cert-portal.siemens.com/productcert/html/ssa-540640.html",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
      assignerShortName: "siemens",
      cveId: "CVE-2024-33500",
      datePublished: "2024-06-11T11:15:43.422Z",
      dateReserved: "2024-04-23T12:07:54.905Z",
      dateUpdated: "2024-09-06T17:00:43.293Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}