TIBCO Managed File Transfer privilege escalation vulnerabilities

  Original release date: October 17, 2017
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

 TIBCO Managed File Transfer Command Center versions 8.0.0 and 8.0.1
 TIBCO Managed File Transfer Internet Server versions 8.0.0 and 8.0.1

  The following components are affected:

    * Administrator Service


Description

  Deployments of the affected systems that enable the Administrator Service
  may be affected by a vulnerability which may allow any authenticated user to
  gain administrative control of Managed File Transfer web applications.


Impact

  The impact of this vulnerability includes the theoretical escalation of
  privileges by any authenticated user to gain administrative control of
  Managed File Transfer web applications.

  CVSS v3 Base Score: 8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)


Solution

  Deployments that enable the Administrator Service for the affected systems
  should remove the file management_activity_activeusers.jsp. This file can be
  found relative to the installation directory of the Managed File Transfer
  product(s):

  <install>/server/webapps/cfcc/view/cfcc/management_activity_activeusers.jsp

References

  http://www.tibco.com/services/support/advisories
  CVE: CVE-2017-5531