0

Hi everyone,   I’m a pentester and come in contact with Mendix occasionally so please be patient with my ignorance regarding Mendix details.   Situation: I am currently testing a Mendix application that seems to be Version 8.18.15.34072. How did I identify this:   curl -s https://<target-host>/mxclientsystem/mxui/mxui.js | grep -oP 'this.version="[0-9\.]+"'   So from checking the release notes for the 8.18 branch I concluded that this Version should have multiple CVEs that have been patched in following patch releases:   8.18.16 CVE-2022-24309 XPath Constraint Vulnerability in Mendix Runtime (8.1) CVE-2021-45105 Apache Log4j Denial of Service Vulnerability (5.9) CVE-2021-44832 Apache Log4j Vulnerability via JDBC Appender (6.6) 8.18.18 CVE-2022-31257 Improper Access Control Vulnerability in Mendix (7.5) CVE-2022-27241 Information Disclosure Vulnerability in Mendix (7.5) Now before I needlessly scare the heck out my customer, I wanted to make sure I’m understanding the release/patch policy correctly:    Security fixes come from installing new patch releases (i.e. they will increment the patch version, third section of the version number) There is no such thing as hotfixes that will only change the last segment of the version number when fixing security vulns Did I understand the situation correctly?

asked 2022-12-02

3 answers