CVE-2019-11211

The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, and TIBCO Spotfire Analytics Platform for AWS Marketplace contains a vulnerability that theoretically allows an authenticated user to trigger remote code execution in certain circumstances. When the affected component runs with the containerized TERR service on Linux the host can theoretically be tricked into running malicious code. This issue affects: TIBCO Enterprise Runtime for R - Server Edition version 1.2.0 and below, and TIBCO Spotfire Analytics Platform for AWS Marketplace 10.4.0; 10.5.0.

CVSS v3 9.9 CRITICAL
CVSS v2.0 9.0 HIGH

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://www.tibco.com/support/advisories/2019/09/tibco-security-advisory-september-17-2019-tibco-enterprise-runtime-for-r-server-2019-11211	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tibco:enterprise_runtime_for_r:::::server:::*
	cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:10.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:10.5.0:::::::*

History

No history.

Information

Published : 2019-09-18 23:15

Updated : 2024-02-04 20:20

NVD link : CVE-2019-11211

Mitre link : CVE-2019-11211

CVE.ORG link : CVE-2019-11211

JSON object : View

Products Affected

tibco

spotfire_analytics_platform_for_aws
enterprise_runtime_for_r

CWE

NVD-CWE-noinfo

{"id": "CVE-2019-11211", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security@tibco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2019-09-18T23:15:10.923", "references": [{"url": "http://www.tibco.com/services/support/advisories", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}, {"url": "https://www.tibco.com/support/advisories/2019/09/tibco-security-advisory-september-17-2019-tibco-enterprise-runtime-for-r-server-2019-11211", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime for R - Server Edition, and TIBCO Spotfire Analytics Platform for AWS Marketplace contains a vulnerability that theoretically allows an authenticated user to trigger remote code execution in certain circumstances. When the affected component runs with the containerized TERR service on Linux the host can theoretically be tricked into running malicious code. This issue affects: TIBCO Enterprise Runtime for R - Server Edition version 1.2.0 and below, and TIBCO Spotfire Analytics Platform for AWS Marketplace 10.4.0; 10.5.0."}, {"lang": "es", "value": "TIBCO Enterprise Runtime para R - Server Edition, y TIBCO Spotfire Analytics Platform para AWS Marketplace del componente servidor de TIBCO Software Inc., contiene una vulnerabilidad que te\u00f3ricamente permite a un usuario autenticado activar la ejecuci\u00f3n de c\u00f3digo remota en determinadas circunstancias. Cuando el componente afectado es ejecutado con el servicio TERR en contenedores sobre Linux, en teor\u00eda, el host puede ser enga\u00f1ado para ejecutar c\u00f3digo malicioso. Este problema afecta a: TIBCO Enterprise Runtime para R - Server Edition versi\u00f3n 1.2.0 y posteriores, y TIBCO Spotfire Analytics Platform para AWS Marketplace versiones 10.4.0; 10.5.0."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tibco:enterprise_runtime_for_r:*:*:*:*:server:*:*:*", "vulnerable": true, "matchCriteriaId": "64B31B30-DD6D-4B9F-AB52-3BBF008931C8", "versionEndIncluding": "1.2.0"}, {"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:10.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "041A7CA8-A0B9-4888-A977-4867FD46C248"}, {"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:10.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6470D387-3DB3-4C2A-A14E-471E8723BC8E"}], "operator": "OR"}]}], "sourceIdentifier": "security@tibco.com"}