CVE-2023-49069

Summary

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.17.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.11 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.19 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.33 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.31 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.

Affected Software

VendorProductVersion RangeStatus
SiemensMendix Runtime V100 < V10.17.0affected
SiemensMendix Runtime V10.120 < V10.12.11affected
SiemensMendix Runtime V10.60 < V10.6.19affected
SiemensMendix Runtime V80 < V8.18.33affected
SiemensMendix Runtime V90 < V9.24.31affected

Weaknesses

  • CWE-204: CWE-204: Observable Response Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References