DIVD-2022-00019 - Insecure Mendix Applications
| Our reference | DIVD-2022-00019 |
| Case lead | Victor Gevers |
| Author | John Cornegge |
| Researcher(s) | |
| CVE(s) |
|
| Product | Mendix Low Code Platform |
| Versions | any |
| Recommendation | If you received a notification of a vulnerability, patch your system with the information provided in this notification. |
| Workaround | Review Access rules applied to Anonymous users. |
| Status | Closed |
| Last modified | 09 Nov 2022 21:36 CET |
Summary
DIVD started looking for misconfigured Entity access rules for anonymous users in applications built with the Mendix Low-code platform. While the default security implementation poses no risks, developers are to apply access rules to any custom data objects that they create. Based on the Use Case, some objects should be accessible by anonymous user, such as images, documents or any other public data. Access to other objects can be set up to be accessible only by certain users and constraints, if setup properly. In some instances, too much access is given to anonymous users on objects that must be restricted to logged in Accounts and constraints only. This can be the case on any custom Object, including those storing personal information. This effort is aimed at exposed personal data reachable via the public internet.
What you can do
- If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email, and we’ll gladly help.
What we are doing
- DIVD is scanning and analysing applications for incorrect use of access rules, exposing personal or other data. Any application that is found to be vulnerable will be reported to Mendix for further actions and follow up with their customers.
Timeline
| Date | Description |
|---|---|
| 19 Mar 2022 | DIVD started reviewing applications globally. |
|
30 Mar 2022- 31 Mar 2022 |
Scan of applications completed. |
|
31 Mar 2022- 14 Apr 2022 |
Applications have been analysed. Findings have been communicated with Mendix for further actions. |
|
10 Oct 2022- 25 Oct 2022 |
A second round of scanning has been performed. |
|
15 Oct 2022- 25 Oct 2022 |
Results have been analysed and organizations contacted. |
| 07 Nov 2022 | After monitoring the decrease in vulnerable systems we’ve decided to close this case. |