TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: April 24, 2019 - TIBCO BPM Enterprise - 2019-8995
TIBCO BPM Enterprise Open Redirect Vulnerability
Original release date: April 24, 2019
Source: TIBCO Software Inc.
- TIBCO ActiveMatrix BPM versions 4.2.0 and below
- TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0 and below
- TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below
The following components are affected:
- Workspace client
- Openspace client
- App development client
The components listed above contain a vulnerability wherein a malicious URL could trick a user into visiting a website of the attacker's choice.
The impact of this vulnerability includes the theoretical possibility that a user could be tricked into visiting a malicious website.
CVSS v3 Base Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)
TIBCO has released updated versions of the affected components which address these issues.
For each affected system, update to the corresponding software versions:
- TIBCO ActiveMatrix BPM versions 4.2.0 and below update to version 4.3.0 or higher
- TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0 and below update to version 4.3.0 or higher
- TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below update to version 1.4.2 or higher