cnvd - cnvd-2024-32690

cnvd-2024-32690

Vulnerability from cnvd

Title: Siemens Mendix Encryption模块硬编码默认加密密钥漏洞

Description:

Mendix Encryption模块负责以下加密需求：纯文本加密（例如密码）和FileDocument加密（例如文件或照片）。

Siemens Mendix Encryption模块存在硬编码默认加密密钥漏洞，攻击者可利用该漏洞能够解密任何加密的项目数据，因为默认的加密密钥可能被认为是被泄露的。

Severity: 高

Patch Name: Siemens Mendix Encryption模块硬编码默认加密密钥漏洞的补丁

Patch Description:

Mendix Encryption模块负责以下加密需求：纯文本加密（例如密码）和FileDocument加密（例如文件或照片）。

Siemens Mendix Encryption模块存在硬编码默认加密密钥漏洞，攻击者可利用该漏洞能够解密任何加密的项目数据，因为默认的加密密钥可能被认为是被泄露的。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/html/ssa-998949.html

Reference: https://cert-portal.siemens.com/productcert/html/ssa-998949.html

Impacted products

Name
Siemens Mendix Encryption >= V10.0.0，< V10.0.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-39888"
    }
  },
  "description": "Mendix Encryption\u6a21\u5757\u8d1f\u8d23\u4ee5\u4e0b\u52a0\u5bc6\u9700\u6c42\uff1a\u7eaf\u6587\u672c\u52a0\u5bc6\uff08\u4f8b\u5982\u5bc6\u7801\uff09\u548cFileDocument\u52a0\u5bc6\uff08\u4f8b\u5982\u6587\u4ef6\u6216\u7167\u7247\uff09\u3002\n\nSiemens Mendix Encryption\u6a21\u5757\u5b58\u5728\u786c\u7f16\u7801\u9ed8\u8ba4\u52a0\u5bc6\u5bc6\u94a5\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u80fd\u591f\u89e3\u5bc6\u4efb\u4f55\u52a0\u5bc6\u7684\u9879\u76ee\u6570\u636e\uff0c\u56e0\u4e3a\u9ed8\u8ba4\u7684\u52a0\u5bc6\u5bc6\u94a5\u53ef\u80fd\u88ab\u8ba4\u4e3a\u662f\u88ab\u6cc4\u9732\u7684\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/html/ssa-998949.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-32690",
  "openTime": "2024-07-19",
  "patchDescription": "Mendix Encryption\u6a21\u5757\u8d1f\u8d23\u4ee5\u4e0b\u52a0\u5bc6\u9700\u6c42\uff1a\u7eaf\u6587\u672c\u52a0\u5bc6\uff08\u4f8b\u5982\u5bc6\u7801\uff09\u548cFileDocument\u52a0\u5bc6\uff08\u4f8b\u5982\u6587\u4ef6\u6216\u7167\u7247\uff09\u3002\r\n\r\nSiemens Mendix Encryption\u6a21\u5757\u5b58\u5728\u786c\u7f16\u7801\u9ed8\u8ba4\u52a0\u5bc6\u5bc6\u94a5\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u80fd\u591f\u89e3\u5bc6\u4efb\u4f55\u52a0\u5bc6\u7684\u9879\u76ee\u6570\u636e\uff0c\u56e0\u4e3a\u9ed8\u8ba4\u7684\u52a0\u5bc6\u5bc6\u94a5\u53ef\u80fd\u88ab\u8ba4\u4e3a\u662f\u88ab\u6cc4\u9732\u7684\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens Mendix Encryption\u6a21\u5757\u786c\u7f16\u7801\u9ed8\u8ba4\u52a0\u5bc6\u5bc6\u94a5\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Siemens Mendix Encryption \u003e= V10.0.0\uff0c\u003c V10.0.2"
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html",
  "serverity": "\u9ad8",
  "submitTime": "2024-07-10",
  "title": "Siemens Mendix Encryption\u6a21\u5757\u786c\u7f16\u7801\u9ed8\u8ba4\u52a0\u5bc6\u5bc6\u94a5\u6f0f\u6d1e"
}

CVE-2024-39888 (GCVE-0-2024-39888)

Vulnerability from cvelistv5

Published

2024-07-09 12:05

Modified

2025-08-27 20:42

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-547 - Use of Hard-coded, Security-relevant Constants

Summary

A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.

References

▼	URL	Tags
	https://cert-portal.siemens.com/productcert/html/ssa-998949.html

Impacted products

	Vendor	Product	Version
	Siemens	Mendix Encryption	Version: V10.0.0 < V10.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:siemens:mendix_encryption:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mendix_encryption",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "V10.0.2",
                "status": "affected",
                "version": "V10.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39888",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-09T13:06:11.608012Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T20:42:58.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:33:11.555Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Mendix Encryption",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.0.2",
              "status": "affected",
              "version": "V10.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in Mendix Encryption (All versions \u003e= V10.0.0 \u003c V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.\r\n\r\nThis could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-547",
              "description": "CWE-547: Use of Hard-coded, Security-relevant Constants",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-09T12:05:35.455Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2024-39888",
    "datePublished": "2024-07-09T12:05:35.455Z",
    "dateReserved": "2024-07-02T14:00:15.330Z",
    "dateUpdated": "2025-08-27T20:42:58.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted