Lucene search

PRIOn knowledge basePRION:CVE-2023-25957

HistoryMar 14, 2023 - 10:15 a.m.

Authentication flaw

2023-03-1410:15:00

PRIOn knowledge base

www.prio-n.com

mendix

saml

authentication

flaw

vulnerability

remote attackers

bypass authentication

application access

encryption

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.4%

JSON

A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.

For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option 'Use Encryption' is disabled.

CPENameOperatorVersion
samlge3.1.9
samllt3.2.5
samlge2.2.0
samllt2.2.3
samlge1.16.4
samllt1.17.2

Name	Operator	Version
saml	ge	3.1.9
saml	lt	3.2.5
saml	ge	2.2.0
saml	lt	2.2.3
saml	ge	1.16.4
saml	lt	1.17.2

References

cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf