Attacker Value

Unknown

TIBCO Spotfire Analyst and Desktop Remote Code Execution Via Shared Files

Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

TIBCO Spotfire Analyst and Desktop Remote Code Execution Via Shared Files

Disclosure Date: December 17, 2019 •

CVE-2019-17334 CVSS v3 Base Score: 8.0

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Visualizations component of TIBCO Software Inc.’s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contains a vulnerability that theoretically allows an attacker with permission to write DXP files to the Spotfire library to remotely execute code of their choice on the user account of other users who access the affected system. This attack is a risk only when the attacker has write access to a network file system shared with the affected system. Affected releases are TIBCO Software Inc.’s TIBCO Spotfire Analyst: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0, TIBCO Spotfire Deployment Kit: versions 7.11.1 and below, TIBCO Spotfire Desktop: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, and TIBCO Spotfire Desktop Language Packs: versions 7.11.1 and below.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.0 High

Impact Score:

5.9

Exploitability Score:

2.1

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

TIBCO Spotfire Analyst 7.11.1

TIBCO Spotfire Analyst 7.12.0

TIBCO Spotfire Analyst 7.13.0

TIBCO Spotfire Analyst 7.14.0

TIBCO Spotfire Analyst 10.0.0

TIBCO Spotfire Analyst 10.1.0

TIBCO Spotfire Analyst 10.2.0

TIBCO Spotfire Analyst 10.3.0

TIBCO Spotfire Analyst 10.3.1

TIBCO Spotfire Analyst 10.3.2

TIBCO Spotfire Analyst 10.4.0

TIBCO Spotfire Analyst 10.5.0

TIBCO Spotfire Analyst 10.6.0

TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0

TIBCO Spotfire Deployment Kit 7.11.1

TIBCO Spotfire Desktop 7.11.1

TIBCO Spotfire Desktop 7.12.0

TIBCO Spotfire Desktop 7.13.0

TIBCO Spotfire Desktop 7.14.0

TIBCO Spotfire Desktop 10.0.0

TIBCO Spotfire Desktop 10.1.0

TIBCO Spotfire Desktop 10.2.0

TIBCO Spotfire Desktop 10.3.0

TIBCO Spotfire Desktop 10.3.1

TIBCO Spotfire Desktop 10.3.2

TIBCO Spotfire Desktop 10.4.0

TIBCO Spotfire Desktop 10.5.0

TIBCO Spotfire Desktop 10.6.0

TIBCO Spotfire Desktop Language Packs 7.11.1

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

References

Canonical

CVE-2019-17334 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17334)

Miscellaneous

http://www.tibco.com/services/support/advisories

https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17334

Rapid7

Unknown