TIBCO Spotfire scripting vulnerabilities

  Original release date: Jan 10, 2017
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Spotfire Analyst 7.7.0

  TIBCO Spotfire Connectors 7.6.0

  TIBCO Spotfire Deployment Kit 7.7.0

  TIBCO Spotfire Desktop 7.6.0
  TIBCO Spotfire Desktop 7.7.0

  TIBCO Spotfire Desktop Developer Edition 7.7.0

  TIBCO Spotfire Desktop Language Packs 7.6.0
  TIBCO Spotfire Desktop Language Packs 7.7.0

  The following components are affected:

    * TIBCO Spotfire Client
    * TIBCO Spotfire Web Player Client

Description

  The Spotfire components listed above contain multiple vulnerabilities which
  may allow a subset of authorized users to perform SQL injection attacks
  against PostgreSQL databases. Other databases systems are not affected.


Impact

  The impact of this vulnerability includes the theoretical modification of
  sensitive information.

  CVSS v3 Base Score: 6.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N)

 

All Supported Platforms

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO Spotfire Analyst 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Connectors 7.6.1 or higher

  TIBCO Spotfire Deployment Kit 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Desktop 7.6.0 version 7.6.1 or higher
  TIBCO Spotfire Desktop 7.7.0 version 7.7.1 or higher

  TIBCO Spotfire Desktop Language Packs 7.6.0 version 7.6.1 or higher
  TIBCO Spotfire Desktop Language Packs 7.7.0 version 7.7.1 or higher
 

TIBCO Spotfire scripting vulnerabilities (CVE-2017-3181)

http://www.tibco.com/services/support/advisories
CVE: CVE-2017-3181