Security Advisory Regarding TIBCO EBX Add-ons

Security Advisory Regarding TIBCO EBX Add-ons

book

Article ID: KB0107940

calendar_today

Updated On:

Products Versions
TIBCO EBX Add-ons 4.5.17 and below, 5.6.2 and below, 6.1.0

Description

TIBCO EBX Add-ons SQL Injection Vulnerability

  Original release date: July 18, 2023
  Last revised: ---
  Source: TIBCO Software Inc

Description

  The component listed above contains an easily exploitable vulnerability that
  allows a low privileged user with import permissions and network access to the
  EBX server to execute arbitrary SQL statements on the affected system.


Impact

  Any application user with Data Exchange import permissions can potentially
  update, insert or delete data from external tables.

  CVSS v3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Environment

Products Affected TIBCO EBX Add-ons versions 4.5.17 and below TIBCO EBX Add-ons versions 5.6.2 and below TIBCO EBX Add-ons version 6.1.0 The following component is affected: * Data Exchange Add-on

Resolution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO EBX Add-ons versions 4.5.17 and below: update to version 4.5.18 or
    later
  TIBCO EBX Add-ons versions 5.6.2 and below: update to version 5.6.3 or later
  TIBCO EBX Add-ons version 6.1.0: update to version 6.1.1 or later
 

Issue/Introduction

Security Advisory Regarding TIBCO EBX Add-ons SQL Injection Vulnerability

Additional Information

  https://www.tibco.com/services/support/advisories
  CVE-2023-26217