cvelist/2023/25xxx/CVE-2023-25957.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-25957",
        "ASSIGNER": "productcert@siemens.com",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nFor compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-303: Incorrect Implementation of Authentication Algorithm",
                        "cweId": "CWE-303"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Siemens",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Mendix SAML (Mendix 7 compatible)",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "All versions >= V1.16.4 < V1.17.3"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "Mendix SAML (Mendix 8 compatible)",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "All versions >= V2.2.0 < V2.3.0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "Mendix SAML (Mendix 9 compatible, New Track)",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "All versions >= V3.1.9 < V3.3.1"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "All versions >= V3.1.8 < V3.3.0"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf",
                "refsource": "MISC",
                "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
            }
        ]
    },
    "impact": {
        "cvss": [
            {
                "version": "3.1",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL"
            }
        ]
    }
}
"-Synchronized-Data." 2023-02-17 13:00:37 +00:00			`{`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2023-02-17 13:00:37 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2023-25957",`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`"ASSIGNER": "productcert@siemens.com",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2023-02-17 13:00:37 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2023-06-13 09:00:43 +00:00			"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nFor compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled."
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`}`
			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-303: Incorrect Implementation of Authentication Algorithm",`
			`"cweId": "CWE-303"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Siemens",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Mendix SAML (Mendix 7 compatible)",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
"-Synchronized-Data." 2023-06-13 09:00:43 +00:00			`"version_value": "All versions >= V1.16.4 < V1.17.3"`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "Mendix SAML (Mendix 8 compatible)",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
"-Synchronized-Data." 2023-06-13 09:00:43 +00:00			`"version_value": "All versions >= V2.2.0 < V2.3.0"`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "Mendix SAML (Mendix 9 compatible, New Track)",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
"-Synchronized-Data." 2023-06-13 09:00:43 +00:00			`"version_value": "All versions >= V3.1.9 < V3.3.1"`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
"-Synchronized-Data." 2023-06-13 09:00:43 +00:00			`"version_value": "All versions >= V3.1.8 < V3.3.0"`
"-Synchronized-Data." 2023-03-14 10:00:37 +00:00			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf",`
			`"refsource": "MISC",`
			`"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"`
			`}`
			`]`
			`},`
			`"impact": {`
			`"cvss": [`
			`{`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",`
			`"baseScore": 9.1,`
			`"baseSeverity": "CRITICAL"`
"-Synchronized-Data." 2023-02-17 13:00:37 +00:00			`}`
			`]`
			`}`
			`}`