CVE-2022-34466: 
Mendix vulnerability analysis and mitigation

An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime that can affect running applications. The vulnerability (CVE-2022-34466) was identified in Mendix Applications using Mendix 9 (versions between v9.11-v9.15) and Mendix Applications using Mendix 9 (v9.12) prior to v9.12.3. The vulnerability was reported by Siemens to CISA in July 2022 (CISA Advisory).

The vulnerability is classified as an Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability (CWE-74). It received a CVSS v3 base score of 6.5, with the vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility, low attack complexity, and requiring low privileges (CISA Advisory).

Successful exploitation of this vulnerability could allow a malicious user to leak sensitive information if the Workflow visual language of Mendix is used (CISA Advisory).

Siemens recommends updating to the latest version of the software: For Mendix Applications using Mendix 9, update to v9.15 or later, and for Mendix Applications using Mendix 9 (V9.12), update to v9.12.3 or later. Additionally, Siemens recommends protecting network access with appropriate mechanisms and configuring the environment according to Siemens' Operational Guidelines for Industrial Security (CISA Advisory).