CVE-2023-29129

Name of the Vulnerable Software and Affected Versions Mendix SAML (Mendix 7 compatible) versions 1.16.4 through 1.18.0 Mendix SAML (Mendix 8 compatible) versions 2.2.0 through 2.4.0 Mendix SAML (Mendix 9 latest compatible, New Track) versions 3.1.9 through 3.6.1 Mendix SAML (Mendix 9 latest compatible, Upgrade Track) versions 3.1.8 through 3.6.0 Mendix SAML (Mendix 9.12/9.18 compatible, New Track) versions 3.3.1 through 3.3.15 Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) versions 3.3.0 through 3.3.14 Mendix SAML (Mendix 9.6 compatible, New Track) versions 3.1.9 through 3.2.7 Mendix SAML (Mendix 9.6 compatible, Upgrade Track) versions 3.1.8 through 3.2.6

Description The issue is related to insufficient verification of SAML assertions in the affected versions of the Mendix SAML module. This could allow unauthenticated remote attackers to bypass authentication and gain access to the application. The vulnerability is associated with errors in the implementation of the authentication algorithm.

Recommendations For Mendix SAML (Mendix 7 compatible) versions 1.16.4 through 1.18.0, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 8 compatible) versions 2.2.0 through 2.4.0, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9 latest compatible, New Track) versions 3.1.9 through 3.6.1, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9 latest compatible, Upgrade Track) versions 3.1.8 through 3.6.0, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9.12/9.18 compatible, New Track) versions 3.3.1 through 3.3.15, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) versions 3.3.0 through 3.3.14, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9.6 compatible, New Track) versions 3.1.9 through 3.2.7, update to a version outside of this range to resolve the issue. For Mendix SAML (Mendix 9.6 compatible, Upgrade Track) versions 3.1.8 through 3.2.6, update to a version outside of this range to resolve the issue.