CVE-2023-25957

Name of the Vulnerable Software and Affected Versions Mendix SAML (Mendix 7 compatible) versions 1.16.4 through 1.17.3 Mendix SAML (Mendix 8 compatible) versions 2.2.0 through 2.3.0 Mendix SAML (Mendix 9 latest compatible, New Track) versions 3.1.9 through 3.3.1 Mendix SAML (Mendix 9 latest compatible, Upgrade Track) versions 3.1.8 through 3.3.0 Mendix SAML (Mendix 9.6 compatible, New Track) versions 3.1.9 through 3.2.7 Mendix SAML (Mendix 9.6 compatible, Upgrade Track) versions 3.1.8 through 3.2.6

Description The issue is related to insufficient verification of SAML assertions in the affected versions of the Mendix SAML module. This could allow unauthenticated remote attackers to bypass authentication and gain access to the application. The vulnerability is connected to errors in the implementation of the authentication algorithm.

Recommendations For Mendix SAML (Mendix 7 compatible) versions 1.16.4 through 1.17.3, update to a version outside of this range. For Mendix SAML (Mendix 8 compatible) versions 2.2.0 through 2.3.0, update to a version outside of this range. For Mendix SAML (Mendix 9 latest compatible, New Track) versions 3.1.9 through 3.3.1, update to a version outside of this range. For Mendix SAML (Mendix 9 latest compatible, Upgrade Track) versions 3.1.8 through 3.3.0, update to a version outside of this range. For Mendix SAML (Mendix 9.6 compatible, New Track) versions 3.1.9 through 3.2.7, update to a version outside of this range. For Mendix SAML (Mendix 9.6 compatible, Upgrade Track) versions 3.1.8 through 3.2.6, update to a version outside of this range. As a temporary workaround, consider enabling the recommended configuration option Use Encryption to mitigate the risk of exploitation.