TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: November 8, 2023 - TIBCO Spotfire - CVE-2023-26221
- TIBCO Spotfire Analyst versions 12.3.0, 12.4.0 and 12.5.0
- TIBCO Spotfire Server versions 12.3.0, 12.4.0 and 12.5.0
- TIBCO Spotfire Analytics Platform for AWS Marketplace 12.5.0
The following component is affected:
- Spotfire Connectors
The component listed above contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker.
Successful execution of this vulnerability will result in an attacker being able to obtain access tokens of authorized users.
CVSS v3.1 Base Score: 5.0 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
TIBCO has released updated versions of the affected systems which address this issue:
- TIBCO Spotfire Analyst versions 12.3.0, 12.4.0 and 12.5.0: update to Spotfire Analyst version 14.0.0 or later
- TIBCO Spotfire Server versions 12.3.0, 12.4.0 and 12.5.0: update to Spotfire Server version 14.0.0 or later
- TIBCO Spotfire Analytics Platform for AWS Marketplace 12.5.0: update to Spotfire for AWS Marketplace version 14.0.0 or later