Tous les avis / BE-2024-0002

BE-2024-0002

BE-2024-0002: ProjectWise Integration Server SQL API abuse

Bentley ID: BE-2024-0002
CVE ID: CVE-2024-53007
Severity: 5.8
CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:T/RC:C
Publication date: 2025-01-28
Revision date: 2025-01-28

Summary
The ProjectWise Integration Server application has an API for clients to request SQL query execution that may be abused by an authenticated user with application-level subject matter expertise.

Details
The ProjectWise Integration Server exposes many APIs for users to customize the behavior of the application. This feature is leveraged by a majority of our users. Some calls of this API may be abused by a malicious insider to obtain or manipulate data from the SQL database. This could lead to bypass of access control or tampering of data. Bentley is already implementing plans to deprecate this API in future versions of ProjectWise. This depreciation plan is being carefully designed with our Users to not negatively impact the stability and availability of current global ProjectWise deployments.

Affected Versions

Applications Affected Versions Mitigated Versions
ProjectWise Integration Server >=10.00.03.288

 

Recommended Mitigations
Follow industry standard guidance on authentication of users including mandating robust 2FA. Follow industry standard guidance on regular and independent internal privileged access reviews. Make sure to follow best practices to minimize ProjectWise database user permissions : https://docs.bentley.com/LiveContent/web/ProjectWise%20Design%20Integration-v2024/Implementation%20Guide/en/html5/topics/6379/GUID-173543FA-9B56-CF33-D07B-035674B61BCF.html . Upgrade to latest versions of ProjectWise Integration server and enable the SQL Allow List to help minimize the risk of malicious SQL queries to be executed. See this link for how to configure it: https://docs.bentley.com/LiveContent/web/ProjectWise%20Administrator%20Help-v13/en/GUID-362761CD-A0C5-42C0-9CB1-82F538D8E86C.html . For ProjectWise Cloud users, you are always using the latest version but need to open a service ticket to request enabling the SQL Allow List for your instance.

Acknowledgement
Thanks to Andre Botelho, Robert Ingrube and Riedmair Josef from Siemens Energy

Revision History

Date Description
28-01-2025 Première version de l’avis
17-02-2025 Change ‘whitelist’ for ‘SQL Allow List’
Besoin d'aide ?
Options d'accessibilité
Haut de la page
Logo noir de Bentley Systems

Notre offre

Logiciels
Licences et abonnements
Mon compte/créer un profil
Acheter les logiciels
Ressources

Histoires et actualités

Actualités
Blog
Infrastructure Yearbook
Newsletter Digital Currency

Entreprise

À propos
Carrières
Contactez-nous
COP
Événements
Investisseurs
Durabilité
Year in Infrastructure

Prise en charge

Centre d’assistance
Formations
Services
Communautés Bentley

Mentions légales

Aperçu juridique
Centre de confidentialité

Investissements

Fonds Bentley iTwin Ventures

Construire avec nous

Étudiants et formateurs
Développeurs
Recherche produit

Entreprises & Partenaires

Partenaires de distribution et de formation
Seequent, The Bentley Subsurface Company
Cohesive
Cesium

Déclaration de confidentialité | Conditions d'utilisation | Cookies

Facebook LinkedIn YouTube Instagram
© 2025 Bentley Systems, Incorporated

20 % de réduction sur les logiciels Bentley

L'OFFRE PREND FIN VENDREDI

Utilisez le code « THANKS24 »

Acheter maintenant

Célébrez l'excellence en matière d'infrastructure et de performance

Year in Infrastructure 2024 et Going Digital Awards

Présentez un projet pour les prix les plus prestigieux en matière d'infrastructure ! La nouvelle date limite d'inscription est le 29 avril.

Proposer un projet