All Advisories / BE-2024-0002

BE-2024-0002

BE-2024-0002: ProjectWise Integration Server SQL API abuse

Bentley ID: BE-2024-0002
CVE ID: CVE-2024-53007
Severity: 5.8
CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:T/RC:C
Publication date: 2025-01-28
Revision date: 2025-01-28

Summary
The ProjectWise Integration Server application has an API for clients to request SQL query execution that may be abused by an authenticated user with application-level subject matter expertise.

Details
The ProjectWise Integration Server exposes many APIs for users to customize the behavior of the application. This feature is leveraged by a majority of our users. Some calls of this API may be abused by a malicious insider to obtain or manipulate data from the SQL database. This could lead to bypass of access control or tampering of data. Bentley is already implementing plans to deprecate this API in future versions of ProjectWise. This depreciation plan is being carefully designed with our Users to not negatively impact the stability and availability of current global ProjectWise deployments.

Affected Versions

Applications Affected Versions Mitigated Versions
ProjectWise Integration Server <10.00.03.288 >=10.00.03.288

 

Recommended Mitigations
Follow industry standard guidance on authentication of users including mandating robust 2FA. Follow industry standard guidance on regular and independent internal privileged access reviews. Make sure to follow best practices to minimize ProjectWise database user permissions : https://docs.bentley.com/LiveContent/web/ProjectWise%20Design%20Integration-v2024/Implementation%20Guide/en/html5/topics/6379/GUID-173543FA-9B56-CF33-D07B-035674B61BCF.html . Upgrade to latest versions of ProjectWise Integration server and enable the SQL Allow List to help minimize the risk of malicious SQL queries to be executed. See this link for how to configure it: https://docs.bentley.com/LiveContent/web/ProjectWise%20Administrator%20Help-v13/en/GUID-362761CD-A0C5-42C0-9CB1-82F538D8E86C.html . For ProjectWise Cloud users, you are always using the latest version but need to open a service ticket to request enabling the SQL Allow List for your instance.

Acknowledgement
Thanks to Andre Botelho, Robert Ingrube and Riedmair Josef from Siemens Energy

Revision History

Date Description
2025-01-28 First version of this advisory
2025-02-17 Change ‘whitelist’ for ‘SQL Allow List’
Need Support?
Accessibility Options
Back To Top
Bentley Systems Logo Black

Build With Us

Students & Educators
Developers
Product Research

Explore

Software
Licensing & Subscriptions
My Account/Create Profile
Shop Software
Resources

Stories & News

News
Blog
Infrastructure Yearbook
Digital Currency Newsletter

Company

About
Careers
Contact Us
Investors
Events
Year in Infrastructure
Sustainability
COP

Support

Support Hub
Training
Services
Bentley Communities

Investments

Bentley iTwin Ventures Fund

Legal

Legal Overview
Trust Center

Business & Partners

Channel & Training Partners
Seequent, The Bentley Subsurface Company
Cohesive
Cesium

Privacy Statement | Terms of Use | Cookies

Facebook Linkedin Youtube Instagram
© 2025 Bentley systems, incorporated

20% Off Bentley Software

Deal Ends Friday

Use Coupon Code "THANKS24"

Shop Now

Celebrate Infrastructure Delivery & Performance Excellence

The 2024 Year in Infrastructure
and Going Digital Awards

Nominate a project for the most prestigious awards in infrastructure! Extended deadline to enter is April 29th.

Nominate Project