CVE-2024-39888
First published: Tue Jul 09 2024(Updated: )
A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.
Credit: productcert@siemens.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mendix | >=10.0.0<10.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-39888?
The severity of CVE-2024-39888 is considered serious due to the use of a hard-coded default value for the EncryptionKey constant.
How do I fix CVE-2024-39888?
To fix CVE-2024-39888, upgrade the Mendix Encryption module to version 10.0.2 or later immediately.
Who is affected by CVE-2024-39888?
CVE-2024-39888 affects all versions of Mendix Encryption from 10.0.0 to prior to 10.0.2.
What are the risks associated with CVE-2024-39888?
The risks include potential unauthorized access to sensitive information due to the use of a common EncryptionKey.
Is there a workaround for CVE-2024-39888?
The recommended solution is upgrading to a fixed version, as no effective workaround is noted for CVE-2024-39888.
- agent/references
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mendix
- canonical/mendix