TIBCO Spotfire Server Script Trust Problem Exposes Remote Code Execution Vulnerability
Article ID: KB0108048
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | - |
Description
The component listed above contains a vulnerability that theoretically allows
an attacker with write permissions to the Spotfire Library, but not "Script
Author" group permission, to modify attributes of files and objects saved to
the library such that the system treats them as trusted. This could allow an
attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service
into executing arbitrary code with the privileges of the system account that
started those processes.
Impact
The impact of this vulnerability includes the theoretical possibility that an
attacker could execute arbitrary code with the privileges of the system
account that started the Spotfire Web Player, Analyst clients, or TERR
Service.
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
an attacker with write permissions to the Spotfire Library, but not "Script
Author" group permission, to modify attributes of files and objects saved to
the library such that the system treats them as trusted. This could allow an
attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service
into executing arbitrary code with the privileges of the system account that
started those processes.
Impact
The impact of this vulnerability includes the theoretical possibility that an
attacker could execute arbitrary code with the privileges of the system
account that started the Spotfire Web Player, Analyst clients, or TERR
Service.
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Issue/Introduction
TIBCO Spotfire Server Script Trust Problem Exposes Remote Code Execution
Vulnerability
Environment
Systems Affected
TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and
below
TIBCO Spotfire Server versions 7.11.9 and below
TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6
TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and
10.8.0
The following component is affected:
* Spotfire library
Resolution
TIBCO has released updated versions of the affected systems which address this
issue:
TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and
below update to version 10.8.1 or higher
TIBCO Spotfire Server versions 7.11.9 and below update to version 7.11.10 or
higher
TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6
update to version 10.3.7 or higher
TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and
10.8.0 update to version 10.8.1 or higher
Additional Information
http://www.tibco.com/services/support/advisories
CVE-2020-9408
CVE-2020-9408
Feedback
Yes
No
Powered by
