TIBCO Spotfire Server information disclosure vulnerabilities

  Original release date: June 26, 2018
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected


  TIBCO Spotfire Analytics Platform for AWS Marketplace
    versions 7.12.0 and below

  TIBCO Spotfire Server versions 7.8.1 and below
  TIBCO Spotfire Server version 7.9.0
  TIBCO Spotfire Server version 7.10.0
  TIBCO Spotfire Server version 7.11.0
  TIBCO Spotfire Server version 7.12.0

  The following components are affected:

    * Spotfire server


Description

  The components listed above contain multiple vulnerabilities that may allow
  for the disclosure of information, including user and data source
  credentials.


Impact

  The impact of this vulnerability includes the theoretical possibly that
  an authenticated user could gain access to user and data source credentials,
  and then use those credentials for additional access.

  CVSS v3 Base Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO Spotfire Analytics Platform for AWS Marketplace versions 7.12.0
    and below update to version 7.13.0 or higher

  TIBCO Spotfire Server versions 7.8.1 and below update to
    version 7.8.2 or higher
  TIBCO Spotfire Server version 7.9.0 update to version 7.9.1 or higher
  TIBCO Spotfire Server version 7.10.0 update to version 7.10.1 or higher
  TIBCO Spotfire Server version 7.11.0 update to version 7.11.1 or higher
  TIBCO Spotfire Server version 7.12.0 update to version 7.13.0 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2018-5436