-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-224632: Improper Access Control Vulnerability in Mendix Email Connector
Module

Publication Date:        2022-12-13
Last Update:             2022-12-13
Current Version:         1.0
CVSS v3.1 Base Score:    8.1


SUMMARY
=======

The Mendix Email Connector module improperly handles access control
for some module entities. This could allow authenticated remote
attackers to read and manipulate sensitive information.

Mendix has released an update for the Mendix Email Connector module
and recommends to update to the latest version.


AFFECTED PRODUCTS AND SOLUTION
==============================


* Mendix Email Connector 
  - Affected versions:
       All versions < V2.0.0
  - Remediation:
       Update to V2.0.0 or later version

       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://marketplace.mendix.com/link/component/120739


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

  * Do not use the default user role of the module

Product-specific remediations or mitigations can be found in the section
"Affected Products and Solution".


Please follow the "General Security Recommendations".


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends
to configure the environment according to Siemens' operational
guidelines for Industrial Security (Download:

https://www.siemens.com/cert/operational-guidelines-industrial-
security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found
at:  https://www.siemens.com/industrialsecurity


PRODUCT DESCRIPTION
===================

Mendix Email Connector module allows you to send and receive emails on
your own email server, and adds new features like sending signed and
encrypted emails.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2022-45936

  Affected versions of the module improperly handle access control for
  some module entities.

    This could allow authenticated remote attackers to read and
  manipulate sensitive information.

    CVSS v3.1 Base Score: 8.1
    CVSS Vector:          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
    CWE:                  CWE-284: Improper Access Control




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2022-12-13): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2022
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmOXwIAACgkQlm7gTEmy
ujTnDQ/+NeJ/eYOLUyewiRzJiSdCDic+1FQ126MDtcZDhR2Ix7OVfxvshsikNCM8
H2z2cpIwiYJfWMN40JWkAwR4qDS+T3vaQbno/pjTvE1TCv5qnb+Zz7vF7rgd+aSp
O4iCO30/KT8F1Q9MucbvlVYWtv0mkeUCrvrm8SFkujKPekEU9qonWiMFVar6QguX
K1h5zxagQHYyvgz/1lq94R8lq/rrCt8lkb02ez9Emef2EJ5WceJK8f/XtSMUXFOs
WzYLoCqxObM+n8yJmHWXV/7wDRTXxmDNELGzszIabMTcP+1jOaj6fhtnDlL8T4Xj
hacYGah627RXjHa+BRwBXWLNZUzS5KddVLw3dTwzKI1VJVzfknfMFI+cww9R2crw
oJcbDtbZ9P1E6PoNVIicf05gSNIc8in1VNtsKVMOvURnRm42ojRpOvjU6VYm71wZ
yV8d/4WzU4ScMaYcOnfkgXOsyVhJCqyClty/hCkwR3GivXHohLeVqk9I8/Sa6OxZ
POCmJEFSjSdysWZYIAZLZneS25jQpyMdNR+yw8m2fRXfHJ4ukXzK5ERZz9de6UQF
r1WLTIg9Rp97W2i1O2NTcPPK4+87Pz84Uo4OS62QjBNUXaukHWJmE/c1Bx9irPtD
6o8E4OwUkX4z21xzeXdxJuugNzsjddE3JqxJ181fjwOQW9FRMDM=
=Ju5h
-----END PGP SIGNATURE-----