CVE-2024-33500: 
Mendix vulnerability analysis and mitigation

CVE-2024-33500 is a privilege management vulnerability discovered in Mendix Applications affecting versions 9 (V9.3.0 to V9.24.22) and 10 (versions before V10.11.0 and V10.6 before V10.6.9). The vulnerability was disclosed on June 11, 2024, and allows users with role management capabilities to elevate access rights of users within that role (Siemens Advisory).

The vulnerability is classified as an Improper Privilege Management (CWE-269) issue. It has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, and a CVSS v4.0 base score of 7.4 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. Successful exploitation requires the attacker to guess the ID of a target role containing elevated access rights (Siemens Advisory).

If successfully exploited, the vulnerability allows authenticated users with role management capabilities to elevate the access rights of users within their managed role, potentially leading to unauthorized access to sensitive functions and data (CISA Advisory).

Siemens has released patches and recommends updating to the following versions: Mendix 9 to V9.24.22 or later, Mendix 10 to V10.11.0 or later, and Mendix 10 (V10.6) to V10.6.9 or later. As a temporary workaround, users can set the runtime setting StrictReferenceChecks to false, though this reduces the security of reference checks (Siemens Advisory).