TIBCO ActiveMatrix BusinessWorks – Path Traversal Vulnerability

Original release date: November 26, 2024
Last revised: ---
CVE-2024-10512
Source: TIBCO Software Inc.

Products Affected

TIBCO ActiveMatrix BusinessWorks version 6.10.0

Component Affected

com.tibco.bw.thor.admin.feature

Description

A path traversal vulnerability that leads to arbitrary file reading, when users often change the logback.configurationFile configuration. The component listed above contains an exploitable vulnerability that allows an attacker to download files to a directory accessible by the web server

Impact

An application administrator without access to the underlying server could

download files that may be evaluated by the web server allowing them to perform actions with the privileges of the web server.

CVSS v4.0 Score : 7 (High)

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

all platforms

TIBCO has released updated versions of the affected components which address

this issue.

TIBCO BusinessWorks 6.10.0 Hotfix-03; upgrade to latest version of Hotfix as soon as possible

Security Advisory Regarding TIBCO ActiveMatrix BusinessWorks Path Traversal Vulnerability

Acknowledgments

Cloud Software Group thanks Vinh Le for working with us to protect Cloud Software Group customers

TIBCO would like to extend its appreciation to Vinh Le for discovery of this vulnerability.

References
https://community.tibco.com/advisories
CVE-2024-10512