CVE-2022-24309: 
Mendix vulnerability analysis and mitigation

A vulnerability (CVE-2022-24309) was identified in Mendix Runtime affecting multiple versions: V7 (all versions < V7.23.29), V8 (all versions < V8.18.16), and V9 (all versions < V9.13 with Runtime Custom Setting DataStorage.UseNewQueryHandler set to False). The vulnerability was discovered and disclosed on March 8, 2022, affecting the Mendix Runtime platform, which is designed to accelerate enterprise app delivery across the entire application development lifecycle (Siemens Advisory).

The vulnerability is related to improper access control (CWE-284) where Mendix Runtime may not properly apply checks for XPath constraints that parse associations within apps running on affected versions. This occurs specifically when an entity has an association readable by the user. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.8 with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (CISA Advisory, Siemens Advisory).

If exploited, this vulnerability could allow a malicious user to deduce contents of inaccessible attributes and modify sensitive data within applications running on the affected Mendix Runtime versions (Siemens Advisory, CISA Advisory).

Siemens has released updates to address this vulnerability and recommends the following mitigations: For Mendix 7, update to V7.23.29 or later; for Mendix 8, update to V8.18.16 or later; for Mendix 9, set Runtime Custom Setting DataStorage.UseNewQueryHandler to True or remove the custom setting (True is the default value). Additionally, Siemens strongly recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).