CVE-2020-9408

EPSS 0.24%
Published 11.03.2020 20:15:13
Last modified 21.11.2024 05:40:34
Source security@tibco.com
Teams watchlist Login
Open Login

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Tibco ≫ Spotfire Analytics Platform For Aws Version <= 10.8.0

Tibco ≫ Spotfire Server Version <= 7.11.9

Tibco ≫ Spotfire Server Version7.12.0

Tibco ≫ Spotfire Server Version7.13.0

Tibco ≫ Spotfire Server Version7.14.0

Tibco ≫ Spotfire Server Version10.0.0

Tibco ≫ Spotfire Server Version10.0.1

Tibco ≫ Spotfire Server Version10.1.0

Tibco ≫ Spotfire Server Version10.2.0

Tibco ≫ Spotfire Server Version10.3.0

Tibco ≫ Spotfire Server Version10.3.1

Tibco ≫ Spotfire Server Version10.3.2

Tibco ≫ Spotfire Server Version10.3.3

Tibco ≫ Spotfire Server Version10.3.4

Tibco ≫ Spotfire Server Version10.3.5

Tibco ≫ Spotfire Server Version10.3.6

Tibco ≫ Spotfire Server Version10.4.0

Tibco ≫ Spotfire Server Version10.5.0

Tibco ≫ Spotfire Server Version10.6.0

Tibco ≫ Spotfire Server Version10.6.1

Tibco ≫ Spotfire Server Version10.7.0

Tibco ≫ Spotfire Server Version10.8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.472

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C
security@tibco.com	9.9	3.1	6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

http://www.tibco.com/services/support/advisories

Vendor Advisory

https://www.tibco.com/support/advisories/2020/03/tibco-security-advisory-march-11-2020-tibco-spotfire-server

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-9408

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-9408

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-9408

EUVD