Skip to the content.

DIVD-2022-00019 - Insecure Mendix Applications

Our reference DIVD-2022-00019
Case lead Victor Gevers
Author John Cornegge
Researcher(s)
CVE(s)
  • n/a
Product Mendix Low Code Platform
Versions any
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Workaround Review Access rules applied to Anonymous users.
Status Closed
Last modified 09 Nov 2022 21:36

Summary

DIVD started looking for misconfigured Entity access rules for anonymous users in applications built with the Mendix Low-code platform. While the default security implementation poses no risks, developers are to apply access rules to any custom data objects that they create. Based on the Use Case, some objects should be accessible by anonymous user, such as images, documents or any other public data. Access to other objects can be set up to be accessible only by certain users and constraints, if setup properly. In some instances, too much access is given to anonymous users on objects that must be restricted to logged in Accounts and constraints only. This can be the case on any custom Object, including those storing personal information. This effort is aimed at exposed personal data reachable via the public internet.

What you can do

What we are doing

Timeline

Date Description
19 Mar 2022 DIVD started reviewing applications globally.
30 Mar 2022-
31 Mar 2022
Scan of applications completed.
31 Mar 2022-
14 Apr 2022
Applications have been analysed. Findings have been communicated with Mendix for further actions.
10 Oct 2022-
25 Oct 2022
A second round of scanning has been performed.
15 Oct 2022-
25 Oct 2022
Results have been analysed and organizations contacted.
07 Nov 2022 After monitoring the decrease in vulnerable systems we’ve decided to close this case.
gantt title DIVD-2022-00019 - Insecure Mendix Applications dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00019 - Insecure Mendix Applications (233 days) :2022-03-19, 2022-11-07 section Events DIVD started reviewing applications globally. : milestone, 2022-03-19, 0d Scan of applications completed. (1 days) : 2022-03-30, 2022-03-31 Applications have been analysed. Findings have been communicated with Mendix for further actions. (14 days) : 2022-03-31, 2022-04-14 A second round of scanning has been performed. (15 days) : 2022-10-10, 2022-10-25 Results have been analysed and organizations contacted. (10 days) : 2022-10-15, 2022-10-25 After monitoring the decrease in vulnerable systems we’ve decided to close this case. : milestone, 2022-11-07, 0d

More information