CVE-2024-50313: 
Mendix vulnerability analysis and mitigation

A race condition vulnerability (CVE-2024-50313) was identified in Mendix Runtime's basic authentication implementation. The vulnerability affects multiple versions including Mendix Runtime V8, V9 (versions < V9.24.29), V10 (versions < V10.16.0), V10.6 (versions < V10.6.15), and V10.12 (versions < V10.12.7). The vulnerability was discovered and reported by Siemens ProductCERT, with initial disclosure on November 12, 2024 (Siemens Advisory).

The vulnerability is classified as a Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) vulnerability, identified as CWE-362. It has received a CVSS v3.1 base score of 5.3 (MEDIUM) with vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, and a CVSS v4.0 base score of 6.9 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (CISA Advisory).

The vulnerability could allow unauthenticated remote attackers to circumvent default account lockout measures in applications using the basic authentication mechanism (Siemens Advisory).

Siemens has released updates for affected versions and recommends updating to Mendix Runtime V9.24.29 or later, V10.16.0 or later, V10.6.15 or later, or V10.12.7 or later as applicable. For Mendix Runtime V8, no fix is currently planned. As an alternative mitigation, users are advised not to use basic authentication and instead set up an alternative authentication module (e.g., SAML, MendixSSO) or implement their own Identity Provider (IDP) (Siemens Advisory).