CVE-2023-49069

MEDIUM

Mendix Runtime <10.17.0, 10.12.<11, 10.6.<19 - Auth Bypass

Title source: llm

Description

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.17.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.11 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.19 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.33 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.31 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames.

References (1)

[Vendor Advisory] https://cert-portal.siemens.com/productcert/html/ssa-097435.html

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 57.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (5)

Siemens/Mendix Runtime V10 < V10.17.0

Siemens/Mendix Runtime V10.12 < V10.12.11

Siemens/Mendix Runtime V10.6 < V10.6.19

Siemens/Mendix Runtime V8 < V8.18.33

Siemens/Mendix Runtime V9 < V9.24.31

Published Sep 10, 2024

Tracked Since Feb 18, 2026