CVE-2021-33712 – This vulnerability in Mendix SAML Module allows... (How to Fix)

Q: How do I fix CVE-2021-33712?

1. Update Mendix SAML Module to version 2.1.2 or later. 2. Redeploy affected Mendix applications. 3. Restart application services.

Q: What is the severity of CVE-2021-33712?

CVE-2021-33712 has a CVSS score of 8.8 (HIGH). This vulnerability in Mendix SAML Module allows authenticated attackers to bypass identity provider restrictions and escalate privileges. It affects all Mendix applications using SAML Module versions before 2.1.2. Attackers could gain unauthorized access to sensitive functions or data.

📋 TL;DR

This vulnerability in Mendix SAML Module allows authenticated attackers to bypass identity provider restrictions and escalate privileges. It affects all Mendix applications using SAML Module versions before 2.1.2. Attackers could gain unauthorized access to sensitive functions or data.

💻 Affected Systems

Products:

Mendix SAML Module

Versions: All versions < 2.1.2

Operating Systems: All platforms running Mendix applications

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Mendix application using the vulnerable SAML Module for authentication.

📦 What is this software?

Saml by Mendix

View all CVEs affecting Saml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where authenticated attackers gain administrative privileges, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Privilege escalation allowing attackers to access unauthorized application functions and data they shouldn't have permission to view or modify.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect unusual privilege changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access but exploitation details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V2.1.2

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf

Restart Required: Yes

Instructions:

1. Update Mendix SAML Module to version 2.1.2 or later. 2. Redeploy affected Mendix applications. 3. Restart application services.

🔧 Temporary Workarounds

Disable SAML Module

all

Temporarily disable SAML authentication and use alternative authentication methods

Network Segmentation

all

Restrict access to affected applications to trusted networks only

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach affected applications
Enhance monitoring for privilege escalation attempts and unusual user behavior

🔍 How to Verify

Check if Vulnerable:

Check Mendix application configuration for SAML Module version. If version is below 2.1.2, the application is vulnerable.

Check Version:

Check Mendix application configuration files or admin console for SAML Module version

Verify Fix Applied:

Verify SAML Module version is 2.1.2 or higher in application configuration and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege changes in user sessions
Multiple failed authentication attempts followed by successful escalation
SAML assertion validation errors

Network Indicators:

Unusual SAML traffic patterns
Authentication requests from unexpected sources

SIEM Query:

source="mendix-logs" AND (event="privilege_escalation" OR event="saml_validation_error")

📊 Metadata

CVE ID: CVE-2021-33712

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33712, you might also want to check these: