Security Advisory Regarding TIBCO Spotfire Web Player
Article ID: KB0108052
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.11.7 and below, 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, 10.4.0, 10.5.0, and 10.6.0 |
Description
TIBCO Spotfire Web Player Potentially Exposes Credentials For Shared Data
Sources
Original release date: December 17, 2019
Last revised: ---
Source: TIBCO Software Inc.
The following component is affected:
* Data access layer
Description
The component listed above contains multiple vulnerabilities that
theoretically allow an attacker access to information that can lead to
obtaining credentials used to access Spotfire data sources. The attacker would
need privileges to save a Spotfire file to the library, and only applies in a
situation where NTLM credentials, or a credentials profile is in use.
Impact
The impact of this vulnerability includes the theoretical possibility that an
attacker recovers credentials used to access Spotfire data sources.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Sources
Original release date: December 17, 2019
Last revised: ---
Source: TIBCO Software Inc.
The following component is affected:
* Data access layer
Description
The component listed above contains multiple vulnerabilities that
theoretically allow an attacker access to information that can lead to
obtaining credentials used to access Spotfire data sources. The attacker would
need privileges to save a Spotfire file to the library, and only applies in a
situation where NTLM credentials, or a credentials profile is in use.
Impact
The impact of this vulnerability includes the theoretical possibility that an
attacker recovers credentials used to access Spotfire data sources.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Issue/Introduction
TIBCO Spotfire Web Player Potentially Exposes Credentials For Shared Data
Environment
Systems Affected
TIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0
TIBCO Spotfire Server versions 7.11.7 and below
TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4
TIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0
Resolution
TIBCO has released updated versions of the affected systems which address
these issues:
TIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update
to version 10.6.1 or higher
TIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or
higher
TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to
version 10.3.5 or higher
TIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version
10.6.1 or higher
these issues:
TIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update
to version 10.6.1 or higher
TIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or
higher
TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to
version 10.3.5 or higher
TIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version
10.6.1 or higher
Additional Information
http://www.tibco.com/services/support/advisories
CVE-2019-17336
CVE-2019-17336
Feedback
Yes
No
Powered by
