cnvd - cnvd-2024-38024

cnvd-2024-38024

Vulnerability from cnvd

Title: Siemens Mendix Runtime信息泄露漏洞

Description:

Siemens Mendix是德国西门子（Siemens）公司的一套低代码应用程序开发平台。该平台提供应用程序开发、测试、部署和迭代等功能。

Siemens Mendix Runtime存在信息泄露漏洞，该漏洞源于受影响应用程序的身份验证机制在验证用户名时包含可观察到的响应差异漏洞。允许未经身份验证的远程攻击者可利用该漏洞区分有效和无效的用户名。

Severity: 中

Patch Name: Siemens Mendix Runtime信息泄露漏洞的补丁

Patch Description:

Siemens Mendix是德国西门子（Siemens）公司的一套低代码应用程序开发平台。该平台提供应用程序开发、测试、部署和迭代等功能。

Siemens Mendix Runtime存在信息泄露漏洞，该漏洞源于受影响应用程序的身份验证机制在验证用户名时包含可观察到的响应差异漏洞。允许未经身份验证的远程攻击者可利用该漏洞区分有效和无效的用户名。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/html/ssa-097435.html

Reference: https://cert-portal.siemens.com/productcert/html/ssa-097435.html

Impacted products

Name
['Siemens Mendix Runtime V10.12 < V10.12.2', 'Siemens Mendix Runtime V10.6 < V10.6.12', 'Siemens Mendix Runtime V10 < V10.14.0', 'Siemens Mendix Runtime V9 < V9.24.26', 'Siemens Mendix Runtime V8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-49069"
    }
  },
  "description": "Siemens Mendix\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f4e\u4ee3\u7801\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fed\u4ee3\u7b49\u529f\u80fd\u3002 \n\nSiemens Mendix Runtime\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u7684\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u5728\u9a8c\u8bc1\u7528\u6237\u540d\u65f6\u5305\u542b\u53ef\u89c2\u5bdf\u5230\u7684\u54cd\u5e94\u5dee\u5f02\u6f0f\u6d1e\u3002\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u533a\u5206\u6709\u6548\u548c\u65e0\u6548\u7684\u7528\u6237\u540d\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/html/ssa-097435.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-38024",
  "openTime": "2024-09-12",
  "patchDescription": "Siemens Mendix\u662f\u5fb7\u56fd\u897f\u95e8\u5b50\uff08Siemens\uff09\u516c\u53f8\u7684\u4e00\u5957\u4f4e\u4ee3\u7801\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u3001\u6d4b\u8bd5\u3001\u90e8\u7f72\u548c\u8fed\u4ee3\u7b49\u529f\u80fd\u3002 \r\n\r\nSiemens Mendix Runtime\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u7684\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\u5728\u9a8c\u8bc1\u7528\u6237\u540d\u65f6\u5305\u542b\u53ef\u89c2\u5bdf\u5230\u7684\u54cd\u5e94\u5dee\u5f02\u6f0f\u6d1e\u3002\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u533a\u5206\u6709\u6548\u548c\u65e0\u6548\u7684\u7528\u6237\u540d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens Mendix Runtime\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens Mendix Runtime V10.12 \u003c V10.12.2",
      "Siemens Mendix Runtime V10.6 \u003c V10.6.12",
      "Siemens Mendix Runtime V10 \u003c V10.14.0",
      "Siemens Mendix Runtime V9 \u003c V9.24.26",
      "Siemens Mendix Runtime V8"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html",
  "serverity": "\u4e2d",
  "submitTime": "2024-09-12",
  "title": "Siemens Mendix Runtime\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2023-49069 (GCVE-0-2023-49069)

Vulnerability from cvelistv5

Published

2024-09-10 09:36

Modified

2025-01-14 10:29

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-204 - Observable Response Discrepancy

Summary

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.17.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.11 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.19 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.33 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.31 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.

References

▼	URL	Tags
	https://cert-portal.siemens.com/productcert/html/ssa-097435.html

Impacted products

Vendor

Product

Version

▼

Siemens

Mendix Runtime V10

Version: 0 < V10.17.0

Siemens	Mendix Runtime V10.12	Version: 0 < V10.12.11
Siemens	Mendix Runtime V10.6	Version: 0 < V10.6.19
Siemens	Mendix Runtime V8	Version: 0 < V8.18.33
Siemens	Mendix Runtime V9	Version: 0 < V9.24.31

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mendix",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "9.24.26",
                "status": "affected",
                "version": "8.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.6.12",
                "status": "affected",
                "version": "10.0",
                "versionType": "custom"
              },
              {
                "lessThan": "10.12.2",
                "status": "affected",
                "version": "10.7",
                "versionType": "custom"
              },
              {
                "lessThan": "10.14.0",
                "status": "affected",
                "version": "10.13",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-49069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T18:35:09.531765Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-10T18:39:46.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10.12",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.12.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V10.6",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V10.6.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V8",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V8.18.33",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mendix Runtime V9",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V9.24.31",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in Mendix Runtime V10 (All versions \u003c V10.17.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions \u003c V10.12.11 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions \u003c V10.6.19 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions \u003c V8.18.33 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions \u003c V9.24.31 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T10:29:57.002Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2023-49069",
    "datePublished": "2024-09-10T09:36:25.399Z",
    "dateReserved": "2023-11-21T11:51:19.666Z",
    "dateUpdated": "2025-01-14T10:29:57.002Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted