CVE-2024-33500

A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-540640.html
https://cert-portal.siemens.com/productcert/html/ssa-540640.html

Configurations

No configuration.

History

21 Nov 2024, 09:17

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-540640.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-540640.html -
Summary		(es) Se ha identificado una vulnerabilidad en Aplicaciones Mendix que usan Mendix 10 (Todas las versiones < V10.11.0), Aplicaciones Mendix que usan Mendix 10 (V10.6) (Todas las versiones < V10.6.9), Aplicaciones Mendix que usan Mendix 9 (Todas las versiones >= V9 .3.0 < V9.24.22). Las aplicaciones afectadas podrían permitir a los usuarios con la capacidad de gestionar una función elevar los derechos de acceso de los usuarios con esa función. La explotación exitosa requiere adivinar la identificación de una función de destino que contiene derechos de acceso elevados.

11 Jun 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-11 12:15

Updated : 2024-11-21 09:17

NVD link : CVE-2024-33500

Mitre link : CVE-2024-33500

CVE.ORG link : CVE-2024-33500

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2024-33500", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.7}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.4, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-06-11T12:15:15.957", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html", "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.11.0), Mendix Applications using Mendix 10 (V10.6) (All versions < V10.6.9), Mendix Applications using Mendix 9 (All versions >= V9.3.0 < V9.24.22). Affected applications could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Aplicaciones Mendix que usan Mendix 10 (Todas las versiones < V10.11.0), Aplicaciones Mendix que usan Mendix 10 (V10.6) (Todas las versiones < V10.6.9), Aplicaciones Mendix que usan Mendix 9 (Todas las versiones >= V9 .3.0 < V9.24.22). Las aplicaciones afectadas podr\u00edan permitir a los usuarios con la capacidad de gestionar una funci\u00f3n elevar los derechos de acceso de los usuarios con esa funci\u00f3n. La explotaci\u00f3n exitosa requiere adivinar la identificaci\u00f3n de una funci\u00f3n de destino que contiene derechos de acceso elevados."}], "lastModified": "2024-11-21T09:17:02.433", "sourceIdentifier": "productcert@siemens.com"}