TIBCO Security Advisory: October 27, 2015 - TIBCO Spotfire®
The TIBCO Spotfire® components listed above contain critical vulnerabilities in the handling of HTTP requests which may result in information disclosure.
CVE-2015-5712 - An authenticated URL may be manipulated to disclose system information.
CVE-2015-5713 - An unauthenticated URL may be manipulated to disclose logging information.
TIBCO has released updated versions of the affected software products which address these issues. TIBCO strongly recommends sites running the affected components install the applicable update as described below.
- TIBCO Spotfire Server 5.5.3 and below
- TIBCO Spotfire Server 6.0.X version 6.0.4 and below
- TIBCO Spotfire Server 6.5.X version 6.5.3 and below
- TIBCO Spotfire Server 7.0.0
- TIBCO Spotfire Analytics Platform for AWS Marketplace 7.0.1 and below
The following components are affected:
- TIBCO Spotfire Parsing Library
- TIBCO Spotfire Security Filter
The impact of this vulnerability is information disclosure.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
For each affected system, update to the corresponding software versions:
- TIBCO Spotfire Server 5.5.X version 5.5.4 or higher
- TIBCO Spotfire Server 6.0.X version 6.0.5 or higher
- TIBCO Spotfire Server 6.5.X version 6.5.4 or higher
- TIBCO Spotfire Server 7.0.1 or higher
- TIBCO Spotfire Analytics Platform for AWS Marketplace version 7.0.2 or higher