CVE-2022-37011

Name of the Vulnerable Software and Affected Versions Mendix SAML (Mendix 7 compatible) versions prior to V1.17.0 Mendix SAML (Mendix 8 compatible) versions prior to V2.3.0 Mendix SAML (Mendix 9 compatible, New Track) versions prior to V3.3.1 Mendix SAML (Mendix 9 compatible, Upgrade Track) versions prior to V3.3.0

Description A vulnerability has been identified that allows unauthorized remote attackers to bypass authentication and gain access to the application by exploiting insufficient protection from packet capture replay. This issue is present when the configuration option Allow Idp Initiated Authentication is enabled, which is not a default or recommended setting.

Recommendations For Mendix SAML (Mendix 7 compatible) versions prior to V1.17.0, update to version V1.17.0 or later and ensure the Allow Idp Initiated Authentication option is disabled. For Mendix SAML (Mendix 8 compatible) versions prior to V2.3.0, update to version V2.3.0 or later and ensure the Allow Idp Initiated Authentication option is disabled. For Mendix SAML (Mendix 9 compatible, New Track) versions prior to V3.3.1, update to version V3.3.1 or later and ensure the Allow Idp Initiated Authentication option is disabled. For Mendix SAML (Mendix 9 compatible, Upgrade Track) versions prior to V3.3.0, update to version V3.3.0 or later and ensure the Allow Idp Initiated Authentication option is disabled. As a temporary workaround, consider disabling the Allow Idp Initiated Authentication option until the issue is resolved.