{
  "id": "CVE-2023-49069",
  "sourceIdentifier": "productcert@siemens.com",
  "published": "2024-09-10T10:15:08.947",
  "lastModified": "2024-09-10T10:15:08.947",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.14.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.2 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.12 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.26 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad en Mendix Runtime V10 (todas las versiones anteriores a la V10.14.0, solo si la aplicaci\u00f3n utiliza el mecanismo de autenticaci\u00f3n b\u00e1sico), Mendix Runtime V10.12 (todas las versiones anteriores a la V10.12.2, solo si la aplicaci\u00f3n utiliza el mecanismo de autenticaci\u00f3n b\u00e1sico), Mendix Runtime V10.6 (todas las versiones anteriores a la V10.6.12, solo si la aplicaci\u00f3n utiliza el mecanismo de autenticaci\u00f3n b\u00e1sico), Mendix Runtime V8 (todas las versiones solo si la aplicaci\u00f3n utiliza el mecanismo de autenticaci\u00f3n b\u00e1sico) y Mendix Runtime V9 (todas las versiones anteriores a la V9.24.26, solo si la aplicaci\u00f3n utiliza el mecanismo de autenticaci\u00f3n b\u00e1sico). El mecanismo de autenticaci\u00f3n de las aplicaciones afectadas contiene una vulnerabilidad de discrepancia de respuesta observable al validar nombres de usuario. Esto podr\u00eda permitir que atacantes remotos no autenticados distingan entre nombres de usuario v\u00e1lidos e inv\u00e1lidos."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "productcert@siemens.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "vulnerableSystemConfidentiality": "LOW",
          "vulnerableSystemIntegrity": "NONE",
          "vulnerableSystemAvailability": "NONE",
          "subsequentSystemConfidentiality": "NONE",
          "subsequentSystemIntegrity": "NONE",
          "subsequentSystemAvailability": "NONE",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirements": "NOT_DEFINED",
          "integrityRequirements": "NOT_DEFINED",
          "availabilityRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
          "modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
          "modifiedVulnerableSystemAvailability": "NOT_DEFINED",
          "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
          "modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
          "modifiedSubsequentSystemAvailability": "NOT_DEFINED",
          "safety": "NOT_DEFINED",
          "automatable": "NOT_DEFINED",
          "recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM"
        }
      }
    ],
    "cvssMetricV31": [
      {
        "source": "productcert@siemens.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "productcert@siemens.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-097435.html",
      "source": "productcert@siemens.com"
    }
  ]
}