SSA-097435: Usernames Disclosure Vulnerability in Mendix Runtime Key Information from the Webpage: 1. Publication Date: - 2024-09-10 2. Last Update: - 2024-09-10 3. Current Version: - V1.0 4. CVSS v3.1 Base Score: - 5.3 5. CVSS v4.0 Base Score: - 6.9 6. Summary: - Mendix Runtime contains an observable response discrepancy vulnerability when validating usernames during authentication. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames. 7. Affected Products and Solution: - Mendix Runtime V8, V9, V10, V10.6, V10.12 - Remediation: Update to the latest version or use alternative authentication mechanisms. 8. Workarounds and Mitigations: - Do not use basic authentication, but setup an alternative authentication module (e.g., SAML, MendixSSO), or your own Identity Provider (IDP). 9. General Security Recommendations: - Protect network access to devices with appropriate mechanisms. - Configure the environment according to Siemens' operational guidelines for Industrial Security. - Additional information on Industrial Security by Siemens can be found at: 10. Product Description: - Mendix Runtime is a platform for developing and deploying web applications. 11. Vulnerability Description: - The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. 12. Acknowledgments: - Siemens thanks Raquel Gálvez from Hispasec Sistemas for reporting the vulnerability. 13. Additional Information: - Contact Siemens ProductCERT for further inquiries on security vulnerabilities in Siemens products and solutions. 14. History Data: - V1.0 (2024-09-10): Publication Date 15. Terms of Use: - Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens. The Terms of Use of Siemens' Global Website shall apply in case of conflicts. --- This summary captures the essential details from the webpage regarding the vulnerability, affected products, recommended solutions, and additional security recommendations.