Platform
siemens
Component
mendix-applications
Fixed in
V10.11.0
V10.6.9
V9.24.22
CVE-2024-33500 describes a role elevation vulnerability discovered in Mendix Applications. This flaw allows users with role management capabilities to potentially escalate the access rights of other users within the application. The vulnerability impacts Mendix Applications versions 9.3.0 through 10.11.0, Mendix 10.6 (prior to version 10.6.9), and Mendix 9 (versions 9.3.0 up to 9.24.22). A fix is available in version 10.11.0.
Successful exploitation of CVE-2024-33500 hinges on an attacker's ability to identify and guess the ID of a target role that grants elevated privileges. Once the role ID is known, an attacker with sufficient permissions can modify the role’s assignments, effectively granting themselves or other users unauthorized access. This could lead to data breaches, unauthorized modifications to application configurations, or even complete control over the affected Mendix application. The blast radius is directly proportional to the privileges granted by the elevated role; a role with administrative access would grant the attacker near-complete control.
CVE-2024-33500 was publicly disclosed on June 11, 2024. Currently, there are no known public proof-of-concept exploits available. The vulnerability's exploitation relies on guessing role IDs, which presents a moderate barrier to entry. Its inclusion in the CISA KEV catalog is pending. Active exploitation campaigns are not currently confirmed, but the vulnerability's potential impact warrants proactive mitigation.
Exploit Status
EPSS
0.19% (41% percentile)
CVSS Vector
The primary mitigation for CVE-2024-33500 is to upgrade Mendix Applications to version 10.11.0 or later. If immediate upgrading is not feasible, consider implementing stricter role management controls to limit the number of users with the ability to modify role assignments. Review existing role configurations to identify and remove any roles with excessive privileges. While a direct workaround to prevent role ID guessing isn't available, implementing robust access controls and regular security audits can help detect and prevent unauthorized role modifications. After upgrading, verify the integrity of role assignments and access controls to ensure the vulnerability has been effectively addressed.
Actualice Mendix Applications a la versión 10.11.0 o superior, o a la versión 10.6.9 o superior si está utilizando la versión 10.6, o a la versión 9.24.22 o superior si está utilizando la versión 9. Esto corrige la vulnerabilidad de elevación de privilegios. Consulte el aviso de seguridad de Siemens para obtener más detalles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-33500 is a medium-severity vulnerability in Mendix Applications allowing users to elevate other users’ access rights by guessing role IDs. It affects versions 9.3.0–V10.11.0, V10.6 (all < V10.6.9), and V9 (all >= V9.3.0 < V9.24.22).
If you are using Mendix Applications versions 9.3.0–V10.11.0, V10.6 (all < V10.6.9), or V9 (all >= V9.3.0 < V9.24.22), you are potentially affected and should upgrade immediately.
Upgrade Mendix Applications to version 10.11.0 or later to resolve this vulnerability. Implement stricter role management controls as an interim measure.
Currently, there are no confirmed reports of active exploitation, but the potential impact warrants proactive mitigation.
Refer to the official Mendix security advisory for detailed information and updates: [https://www.mendix.com/security-advisories/](https://www.mendix.com/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.