CVE-2023-23835 - OpenCVE

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mendix	Mendix

Configuration 1 [-]

OR	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::
	cpe:2.3:a:mendix:mendix::::::::

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2023-02-14T10:36:23.615Z

Updated: 2024-08-02T10:42:27.044Z

Reserved: 2023-01-18T10:28:31.589Z

Link: CVE-2023-23835

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-02-14T11:15:14.687

Modified: 2023-02-22T15:44:23.027

Link: CVE-2023-23835

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23835", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2023-01-18T10:28:31.589Z", "datePublished": "2023-02-14T10:36:23.615Z", "dateUpdated": "2024-08-02T10:42:27.044Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2023-02-15T09:24:58.910Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API\u2019s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors."}], "affected": [{"vendor": "Siemens", "product": "Mendix Applications using Mendix 7", "versions": [{"version": "All versions < V7.23.34", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 8", "versions": [{"version": "All versions < V8.18.23", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9", "versions": [{"version": "All versions < V9.22.0", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9 (V9.12)", "versions": [{"version": "All versions < V9.12.10", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9 (V9.18)", "versions": [{"version": "All versions < V9.18.4", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9 (V9.6)", "versions": [{"version": "All versions < V9.6.15", "status": "affected"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:27.044Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "43E9E16C-936B-47D4-B5C1-30EAF7F6B8AE", "versionEndExcluding": "7.23.34", "versionStartIncluding": "7.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A1ED592-BD7C-43FB-812E-15F579F8F40E", "versionEndExcluding": "8.18.23", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3CFFFE6-F0CD-4C06-B3D7-44F3FA84B346", "versionEndExcluding": "9.6.15", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFBB912C-5B70-436C-A615-717C6C90E25C", "versionEndExcluding": "9.12.10", "versionStartIncluding": "9.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AC5D595-F345-4533-BF6D-451CAFF17E13", "versionEndExcluding": "9.18.4", "versionStartIncluding": "9.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B9D7FEC-9D09-4CFD-AD46-880655E27898", "versionEndExcluding": "9.22.0", "versionStartIncluding": "9.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API\u2019s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors."}], "id": "CVE-2023-23835", "lastModified": "2023-02-22T15:44:23.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "productcert@siemens.com", "type": "Secondary"}]}, "published": "2023-02-14T11:15:14.687", "references": [{"source": "productcert@siemens.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "productcert@siemens.com", "type": "Primary"}]}