Mendix OIDC SSO Incorrect Privilege Assignment Vulnerability

A vulnerability exists in the Mendix OIDC SSO module for versions prior to 4.1.0 (Mendix 10 compatible), versions prior to 4.0.1 (Mendix 10.12 compatible), and all versions (Mendix 9 compatible). This vulnerability allows the Administrator role to have unrestricted read and write access to all tokens, potentially leading to misuse of privileges by modifying the module during development.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing an adversary to misuse administrative rights by altering the OIDC SSO module.

Remediation

Users of Mendix OIDC SSO (Mendix 10 compatible) should update to version 4.1.0 or later. Users of Mendix OIDC SSO (Mendix 10.12 compatible) should update to version 4.0.1 or later. For Mendix OIDC SSO (Mendix 9 compatible), no fix is currently available, but users are advised to consult the Siemens ProductCERT for guidance.