As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 4.6
- ATTENTION: Exploitable remotely
- Vendor: Siemens
- Equipment: Mendix Studio Pro
- Vulnerability: Path Traversal
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to write or modify arbitrary files in directories outside a developer’s project directory.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the following versions of Mendix Studio Pro integrated development environment are affected:
- Siemens Mendix Studio Pro 8: Versions prior to V8.18.35
- Siemens Mendix Studio Pro 9: Versions prior to V9.24.35
- Siemens Mendix Studio Pro 10: Versions prior to V10.23.0
- Siemens Mendix Studio Pro 10.6: Versions prior to V10.6.24
- Siemens Mendix Studio Pro 10.12: Versions prior to V10.12.17
- Siemens Mendix Studio Pro 10.18: Versions prior to V10.18.7
- Siemens Mendix Studio Pro 11: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.