CVE-2021-27394

16.04.2021, 20:15

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
siemens	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 55%

Vendor	Product	Version
mendix	mendix	7.0.2 ≤ 𝑥 < 7.23.19
mendix	mendix	8.0.0 ≤ 𝑥 < 8.17.0
mendix	mendix	9.0.0 ≤ 𝑥 < 9.0.5
mendix	mendix	8.6.0 ≤ 𝑥 < 8.6.9
mendix	mendix	8.12.0 ≤ 𝑥 < 8.12.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf