CVE-2023-26221

The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.tibco.com/services/support/advisories	Vendor Advisory
https://www.tibco.com/services/support/advisories	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tibco:spotfire_analyst:12.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:12.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:12.5.0:::::::*
	cpe:2.3:a:tibco:spotfire_analytics_platform:12.5.0:::::aws_marketplace::
	cpe:2.3:a:tibco:spotfire_server:12.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:12.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:12.5.0:::::::*

History

21 Nov 2024, 07:50

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-08 20:15

Updated : 2024-11-21 07:50

NVD link : CVE-2023-26221

Mitre link : CVE-2023-26221

CVE.ORG link : CVE-2023-26221

JSON object : View

Products Affected

tibco

spotfire_server
spotfire_analytics_platform
spotfire_analyst

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2023-26221", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@tibco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.3}]}, "published": "2023-11-08T20:15:07.313", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}, {"url": "https://www.tibco.com/services/support/advisories", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@tibco.com", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"}, {"lang": "es", "value": "El componente Spotfire Connectors de Spotfire Analyst, Spotfire Server y Spotfire para AWS Marketplace de TIBCO Software Inc. contiene una vulnerabilidad f\u00e1cilmente explotable que permite a un atacante con pocos privilegios y acceso de lectura/escritura crear archivos maliciosos de Analyst. Un ataque exitoso que utilice esta vulnerabilidad requiere la interacci\u00f3n humana de una persona distinta del atacante. Las versiones afectadas son Spotfire Analyst de TIBCO Software Inc.: versiones 12.3.0, 12.4.0 y 12.5.0, Spotfire Server: versiones 12.3.0, 12.4.0 y 12.5.0, y Spotfire para AWS Marketplace: versi\u00f3n 12.5.0."}], "lastModified": "2024-11-21T07:50:56.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "949054A7-A299-4C11-9E2B-7437D6C4D801"}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C63E85E6-8519-4957-B55B-0B8F6E658B2B"}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE433F55-79E4-438C-81C7-4CEEAEE1C442"}, {"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform:12.5.0:*:*:*:*:aws_marketplace:*:*", "vulnerable": true, "matchCriteriaId": "55B9367D-3938-4059-BABE-72322C2AE10C"}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F7F5C30-950E-4483-8795-761C506BB549"}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B67F529-EB21-4628-ADA2-56E76DA272EB"}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "889EE133-0CEE-429F-A58E-1F310FB981B8"}], "operator": "OR"}]}], "sourceIdentifier": "security@tibco.com"}