TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: May 14, 2019 - TIBCO Spotfire Statistics Services - 2019-11204
TIBCO Spotfire Statistics Services Exposes Sensitive Files
Original release date: May 14, 2019
Source: TIBCO Software Inc.
- TIBCO Spotfire Statistics Services versions 7.11.1 and below
- TIBCO Spotfire Statistics Services version 10.0.0
The following component is affected:
- Web interface
The component listed above contains a vulnerability that might theoretically allow an authenticated user to access sensitive information needed by the Spotfire Statistics Services server. The sensitive information that might be affected includes database, JMX, LDAP, Windows service account, and user credentials.
The impact of this vulnerability includes the theoretical possibility that credentials to both the Spotfire Statistics Services server, and to other systems could be exposed.
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
TIBCO has released updated versions of the affected components which address these issues.
- TIBCO Spotfire Statistics Services versions 7.11.1 and below update to version 7.11.2 or higher
- TIBCO Spotfire Statistics Services version 10.0.0 update to 10.0.1 or higher