CVE-2021-42015

09.11.2021, 12:15

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
siemens	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 33%

Vendor	Product	Version
mendix	mendix	𝑥 < 7.23.26
mendix	mendix	8.0.0 ≤ 𝑥 < 8.18.12
mendix	mendix	9.0.0 ≤ 𝑥 < 9.6.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-525 - Use of Web Browser Cache Containing Sensitive Information
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf