Skip to the content.

DIVD-2022-00019 - Insecure Mendix Applications

Our reference DIVD-2022-00019
Case lead Victor Gevers
Author John Cornegge
Researcher(s)
CVE(s)
  • n/a
Product Mendix Low Code Platform
Versions any
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Status Open
Last modified 20 Apr 2022 19:25

Summary

DIVD started looking for misconfigured Entity access rules for anonymous users in applications built with the Mendix Low-code platform. While the default security implementation poses no risks, developers are to apply access rules to any custom data objects that they create. Based on the Use Case, some objects should be accessible by anonymous user, such as images, documents or any other public data. Access to other objects can be set up to be accessible only by certain users and constraints, if setup properly. In some instances, too much access is given to anonymous users on objects that must be restricted to logged in Accounts and constraints only. This can be the case on any custom Object, including those storing personal information. This effort is aimed at exposed personal data reachable via the public internet.

What you can do

What we are doing

Timeline

Date Description
19 Mar 2022 DIVD started reviewing applications globally.
30 Mar 2022-
31 Mar 2022
Scan of applications completed.
31 Mar 2022-
14 Apr 2022
Applications have been analysed. Findings have been communicated with Mendix for further actions.
gantt title DIVD-2022-00019 - Insecure Mendix Applications dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00019 - Insecure Mendix Applications (still open) :2022-03-19, 2022-05-23 section Events DIVD started reviewing applications globally. : milestone, 2022-03-19, 0d Scan of applications completed. (1 days) : 2022-03-30, 2022-03-31 Applications have been analysed. Findings have been communicated with Mendix for further actions. (14 days) : 2022-03-31, 2022-04-14

More information