TIBCO Managed File Transfer Command Center XXE Vulnerability

  Original release date: May 10, 2022
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO Managed File Transfer Command Center versions 8.3.1 and below

  TIBCO Managed File Transfer Command Center versions 8.4.0 and 8.4.1

  TIBCO Managed File Transfer Internet Server versions 8.3.1 and below

  TIBCO Managed File Transfer Internet Server versions 8.4.0 and 8.4.1

  The following components are affected:

    * DOM XML parser
    * SAX XML parser


Description

  The component listed above contains an easily exploitable vulnerability that
  allows an unauthenticated attacker with network access to execute XML External
  Entity (XXE) attacks on the affected system.


Impact

  Successful execution of this vulnerability can result in unauthorized update,
  insert or delete access to data on the affected system and associated
  resources.

  CVSS v3 Base Score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO Managed File Transfer Command Center versions 8.3.1 and below update
    to version 8.3.2 or later

  TIBCO Managed File Transfer Command Center versions 8.4.0 and 8.4.1 update
    to version 8.4.2 or later

  TIBCO Managed File Transfer Internet Server versions 8.3.1 and below update
    to version 8.3.2 or later

  TIBCO Managed File Transfer Internet Server versions 8.4.0 and 8.4.1 update
    to version 8.4.2 or later


Acknowledgments

  TIBCO would like to extend its appreciation to Niv Levy for discovery of this
  vulnerability.

References

  https://www.tibco.com/services/support/advisories
  CVE-2022-22774