Mendix Studio Pro Zip Path Traversal Vulnerability in Module Installation Process
Vulnerability
A zip path traversal vulnerability has been identified in Mendix Studio Pro versions 8, 9, 10, and 11. This vulnerability arises during the module installation process, where a crafted malicious module could be used to write or modify arbitrary files in directories outside of a developer's project directory. This could be exploited by distributing the malicious module through the Mendix Marketplace.
Impact
Exploitation of this vulnerability could lead to unauthorized writing or modification of files outside the project's directory, potentially allowing for malicious code execution or disruption of the development environment.
Remediation
Users are advised to update to Mendix Studio Pro version 8.18.35, 9.24.35, 10.23.0, 10.6.24, 10.12.17, or 10.18.7, depending on their current version. For Mendix Studio Pro 11, no fix is currently available. As a general security measure, do not install untrusted or unverified modules in Studio Pro projects.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.