Todos los avisos / BE-2024-0002

BE-2024-0002

BE-2024-0002: ProjectWise Integration Server SQL API abuse

Bentley ID: BE-2024-0002
CVE ID: CVE-2024-53007
Severity: 5.8
CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:T/RC:C
Publication date: 2025-01-28
Revision date: 2025-01-28

Summary
The ProjectWise Integration Server application has an API for clients to request SQL query execution that may be abused by an authenticated user with application-level subject matter expertise.

Details
The ProjectWise Integration Server exposes many APIs for users to customize the behavior of the application. This feature is leveraged by a majority of our users. Some calls of this API may be abused by a malicious insider to obtain or manipulate data from the SQL database. This could lead to bypass of access control or tampering of data. Bentley is already implementing plans to deprecate this API in future versions of ProjectWise. This depreciation plan is being carefully designed with our Users to not negatively impact the stability and availability of current global ProjectWise deployments.

Versiones afectadas

Aplicaciones Versiones afectadas Versiones con menor vulnerabilidad
ProjectWise Integration Server >=10.00.03.288

 

Recommended Mitigations
Follow industry standard guidance on authentication of users including mandating robust 2FA. Follow industry standard guidance on regular and independent internal privileged access reviews. Make sure to follow best practices to minimize ProjectWise database user permissions : https://docs.bentley.com/LiveContent/web/ProjectWise%20Design%20Integration-v2024/Implementation%20Guide/en/html5/topics/6379/GUID-173543FA-9B56-CF33-D07B-035674B61BCF.html . Upgrade to latest versions of ProjectWise Integration server and enable the SQL Allow List to help minimize the risk of malicious SQL queries to be executed. See this link for how to configure it: https://docs.bentley.com/LiveContent/web/ProjectWise%20Administrator%20Help-v13/en/GUID-362761CD-A0C5-42C0-9CB1-82F538D8E86C.html . For ProjectWise Cloud users, you are always using the latest version but need to open a service ticket to request enabling the SQL Allow List for your instance.

Acknowledgement
Thanks to Andre Botelho, Robert Ingrube and Riedmair Josef from Siemens Energy

Historial de revisiones

Fecha Descripción
01-28-2025 Primera versión de este aviso
02-17-2025 Change ‘whitelist’ for ‘SQL Allow List’
¿Necesita ayuda?
Opciones de accesibilidad
Volver arriba
Logo negro de Bentley Systems

Construya con nosotros

Profesores y estudiantes
Desarrolladores
Investigación de productos

Explorar

Software
Licencias y suscripciones
Mi cuenta/Crear perfil
Tienda de software
Recursos

Historias y noticias

Noticias
Blog
Infrastructure Yearbook
Boletín informativo sobre moneda digital

Empresa

Acerca de Bentley Systems
Carreras
Contáctenos
Inversionistas
Eventos
Year in Infrastructure
Sostenibilidad
COP

Soporte

Centro de apoyo
Capacitación
Servicios
Bentley Communities

Inversiones

Fondo iTwin Ventures de Bentley

Legal

Información legal
Centro de confianza

Empresas y socios

Socios de ventas y de capacitación
Seequent, The Bentley Subsurface Company
Cohesive
Cesium

Declaración de privacidad | Condiciones de uso | Cookies

Facebook LinkedIn YouTube Instagram
© 2025 Bentley Systems, incorporated

20 % de descuento en software de Bentley

La oferta termina el viernes

Use el código de cupón "THANKS24"

Compre ahora

Celebre la excelencia en la entrega y el rendimiento de la infraestructura

El Evento Year in Infrastructure y Premios Going Digital Awards 2024

¡Nomine un proyecto para los premios más prestigiosos en infraestructura! El plazo ampliado para participar termina el 29 de abril.

Nomine un proyecto