Vulnerability: CVE-2020-9408

The Spotfire library component of TIBCO Software Inc.’s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not ""Script Author"" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.’s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0.


http://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2020/03/tibco-security-advisory-march-11-2020-tibco-spotfire-server
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9408


It's possible to leave a comment as registered users to the site, accessing through social, wordpress account or as anonymous users. If you want to leave a comment as an anonymous user you will be notified by email of a possible response only if you enter the email address (optional). The insertion of any data in the comment fields is totally optional. Whoever decides to insert any data accepts the treatment of these last ones for the inherent purposes of the service that is the answer to the comment and the strictly necessary communications.


Leave a Reply