Lucene search

PRIOn knowledge basePRION:CVE-2022-44457

HistoryNov 08, 2022 - 11:15 a.m.

Default configuration

2022-11-0811:15:00

PRIOn knowledge base

www.prio-n.com

mendix saml

vulnerability

packet capture replay

idp initiated authentication

cve-2022-37011

non default configuration

nvd

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.3%

JSON

A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option 'Allow Idp Initiated Authentication' is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration.

CPENameOperatorVersion
samllt1.17.0
samlge2.3.0
samllt2.3.2
samlge3.3.0
samllt3.3.4

Name	Operator	Version
saml	lt	1.17.0
saml	ge	2.3.0
saml	lt	2.3.2
saml	ge	3.3.0
saml	lt	3.3.4

References

cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf