CVE-2023-49069

Name of the Vulnerable Software and Affected Versions Mendix Runtime V10 versions prior to V10.17.0 Mendix Runtime V10.12 versions prior to V10.12.11 Mendix Runtime V10.6 versions prior to V10.6.19 Mendix Runtime V8 versions prior to V8.18.33 Mendix Runtime V9 versions prior to V9.24.31

Description A vulnerability has been identified in the basic authentication mechanism of Mendix Runtime, which contains an observable response discrepancy when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames, potentially leading to unauthorized access to protected information.

Recommendations For Mendix Runtime V10 versions prior to V10.17.0, update to version V10.17.0 or later to resolve the issue. For Mendix Runtime V10.12 versions prior to V10.12.11, update to version V10.12.11 or later to resolve the issue. For Mendix Runtime V10.6 versions prior to V10.6.19, update to version V10.6.19 or later to resolve the issue. For Mendix Runtime V8 versions prior to V8.18.33, update to version V8.18.33 or later to resolve the issue. For Mendix Runtime V9 versions prior to V9.24.31, update to version V9.24.31 or later to resolve the issue. As a temporary workaround, consider disabling the basic authentication mechanism until a patch is available. Restrict access to the application to minimize the risk of exploitation. Avoid using the basic authentication mechanism in the affected API endpoints until the issue is resolved.