CVE-2022-34466

A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*

History

29 Jun 2023, 15:34

Type Values Removed Values Added
CWE CWE-74 CWE-917

20 Jul 2022, 15:31

Type Values Removed Values Added
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 3.5
v3 : 6.5
CWE CWE-74
CPE cpe:2.3:a:mendix:mendix:*:*:*:*:*:*:*:*

12 Jul 2022, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-07-12 10:15

Updated : 2024-02-04 22:51


NVD link : CVE-2022-34466

Mitre link : CVE-2022-34466

CVE.ORG link : CVE-2022-34466


JSON object : View

Products Affected

mendix

  • mendix
CWE
CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')