#VU54923 Improper Authorization in Mendix - CVE-2021-33718

Cybersecurity Help s.r.o.

Published: 2021-07-16

Vulnerability identifier: #VU54923

Vulnerability risk: Medium

CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-33718

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix
Client/Desktop applications / Other client software

Vendor: Siemens

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization enforcement. A remote authenticated attacker can bypass write access checks of attributes of an object.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mendix: before 7.23.22

External links
https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in Siemens Mendix