Security Advisory for TIBCO Spotfire Products

Security Advisory for TIBCO Spotfire Products

book

Article ID: KB0108215

calendar_today

Updated On:

Products Versions
Spotfire Analyst 7.7.0
Spotfire Connectors 7.6.0
Spotfire Deployment Kit 7.7.0

Description

TIBCO Spotfire scripting vulnerabilities

  Original release date: Jan 10, 2017
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Spotfire Analyst 7.7.0

  TIBCO Spotfire Connectors 7.6.0

  TIBCO Spotfire Deployment Kit 7.7.0

  TIBCO Spotfire Desktop 7.6.0
  TIBCO Spotfire Desktop 7.7.0

  TIBCO Spotfire Desktop Developer Edition 7.7.0

  TIBCO Spotfire Desktop Language Packs 7.6.0
  TIBCO Spotfire Desktop Language Packs 7.7.0

  The following components are affected:

    * TIBCO Spotfire Client
    * TIBCO Spotfire Web Player Client

Description

  The Spotfire components listed above contain multiple vulnerabilities which
  may allow a subset of authorized users to perform SQL injection attacks
  against PostgreSQL databases. Other databases systems are not affected.


Impact

  The impact of this vulnerability includes the theoretical modification of
  sensitive information.

  CVSS v3 Base Score: 6.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N)

 

Environment

All Supported Platforms

Resolution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO Spotfire Analyst 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Connectors 7.6.1 or higher

  TIBCO Spotfire Deployment Kit 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Desktop 7.6.0 version 7.6.1 or higher
  TIBCO Spotfire Desktop 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Desktop Language Packs 7.6.0 version 7.6.1 or higher
  TIBCO Spotfire Desktop Language Packs 7.7.0 version 7.7.1 or higher
 

Issue/Introduction

TIBCO Spotfire scripting vulnerabilities (CVE-2017-3181)

Additional Information

http://www.tibco.com/services/support/advisories
CVE: CVE-2017-3181