CVE-2024-33500 - OpenCVE

A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-540640.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2024-06-11T11:15:43.422Z

Updated: 2024-09-06T17:00:43.293Z

Reserved: 2024-04-23T12:07:54.905Z

Link: CVE-2024-33500

Vulnrichment

Updated: 2024-08-02T02:36:03.343Z

NVD

Status : Awaiting Analysis

Published: 2024-06-11T12:15:15.957

Modified: 2024-06-11T13:54:12.057

Link: CVE-2024-33500

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-33500", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2024-04-23T12:07:54.905Z", "datePublished": "2024-06-11T11:15:43.422Z", "dateUpdated": "2024-09-06T17:00:43.293Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2024-06-11T14:20:45.931Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights."}], "affected": [{"vendor": "Siemens", "product": "Mendix Applications using Mendix 10", "versions": [{"status": "affected", "version": "0", "lessThan": "V10.11.0", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 10 (V10.6)", "versions": [{"status": "affected", "version": "0", "lessThan": "V10.6.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9", "versions": [{"status": "affected", "version": "V9.3.0", "lessThan": "V9.24.22", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}, {"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "baseScore": 7.4, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:36:03.343Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "siemens", "product": "mendix", "cpes": ["cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "10..0", "status": "affected", "lessThan": "10.11.0", "versionType": "custom"}, {"version": "10.6", "status": "affected", "lessThan": "10.6.9", "versionType": "custom"}, {"version": "9.3.0", "status": "affected", "lessThan": "9.24.22", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-20T16:28:31.756301Z", "id": "CVE-2024-33500", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:00:43.293Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:36:03.343Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-20T16:28:31.756301Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*"], "vendor": "siemens", "product": "mendix", "versions": [{"status": "affected", "version": "10..0", "lessThan": "10.11.0", "versionType": "custom"}, {"status": "affected", "version": "10.6", "lessThan": "10.6.9", "versionType": "custom"}, {"status": "affected", "version": "9.3.0", "lessThan": "9.24.22", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:59:25.308Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Siemens", "product": "Mendix Applications using Mendix 10", "versions": [{"status": "affected", "version": "0", "lessThan": "V10.11.0", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 10 (V10.6)", "versions": [{"status": "affected", "version": "0", "lessThan": "V10.6.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix Applications using Mendix 9", "versions": [{"status": "affected", "version": "V9.3.0", "lessThan": "V9.24.22", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2024-06-11T14:20:45.931Z"}}}, "cveMetadata": {"cveId": "CVE-2024-33500", "state": "PUBLISHED", "dateUpdated": "2024-09-06T17:00:43.293Z", "dateReserved": "2024-04-23T12:07:54.905Z", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "datePublished": "2024-06-11T11:15:43.422Z", "assignerShortName": "siemens"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Aplicaciones Mendix que usan Mendix 10 (Todas las versiones < V10.11.0), Aplicaciones Mendix que usan Mendix 10 (V10.6) (Todas las versiones < V10.6.9), Aplicaciones Mendix que usan Mendix 9 (Todas las versiones >= V9 .3.0 < V9.24.22). Las aplicaciones afectadas podr\u00edan permitir a los usuarios con la capacidad de gestionar una funci\u00f3n elevar los derechos de acceso de los usuarios con esa funci\u00f3n. La explotaci\u00f3n exitosa requiere adivinar la identificaci\u00f3n de una funci\u00f3n de destino que contiene derechos de acceso elevados."}], "id": "CVE-2024-33500", "lastModified": "2024-06-11T13:54:12.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "productcert@siemens.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "productcert@siemens.com", "type": "Secondary"}]}, "published": "2024-06-11T12:15:15.957", "references": [{"source": "productcert@siemens.com", "url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "productcert@siemens.com", "type": "Primary"}]}