TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: December 14, 2021 - TIBCO Spotfire Server - 2021-43051
- TIBCO Spotfire Server versions 10.10.6 and below
- TIBCO Spotfire Server versions 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.4.0, and 11.4.1
- TIBCO Spotfire Server versions 11.5.0 and 11.6.0
The following component is affected:
- Spotfire Server
The component listed above contains a difficult to exploit vulnerability that allows malicious custom API clients with network access to execute internal API operations outside of the scope of those granted to it. A successful attack using this vulnerability requires human interaction from a person other than the attacker.
In the worst case, if the user is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.
CVSS v3 Base Score: 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
TIBCO has released updated versions of the affected systems which address this issue:
- TIBCO Spotfire Server versions 10.10.6 and below update to version 10.10.7 or later
- TIBCO Spotfire Server versions 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.4.0, and 11.4.1 update to version 11.4.2 or later
- TIBCO Spotfire Server versions 11.5.0 and 11.6.0 update to version 11.6.1 or later