CVE-2022-44457

Name of the Vulnerable Software and Affected Versions Mendix SAML (Mendix 7 compatible) versions prior to 1.17.2 Mendix SAML (Mendix 8 compatible) versions prior to 2.3.2 Mendix SAML (Mendix 9 compatible, New Track) versions prior to 3.3.5 Mendix SAML (Mendix 9 compatible, Upgrade Track) versions prior to 3.3.4

Description The issue arises from insufficient protection against packet capture replay when the non-default configuration option Allow Idp Initiated Authentication is enabled. This problem is related to an incomplete fix for a previous issue in a specific non-default configuration.

Recommendations For Mendix SAML (Mendix 7 compatible) versions prior to 1.17.2, update to version 1.17.2 or later. For Mendix SAML (Mendix 8 compatible) versions prior to 2.3.2, update to version 2.3.2 or later. For Mendix SAML (Mendix 9 compatible, New Track) versions prior to 3.3.5, update to version 3.3.5 or later. For Mendix SAML (Mendix 9 compatible, Upgrade Track) versions prior to 3.3.4, update to version 3.3.4 or later. As a temporary workaround, consider disabling the Allow Idp Initiated Authentication option until a patch is available.