CVE-2024-1137 (GCVE-0-2024-1137)

Vulnerability from cvelistv5 – Published: 2024-03-12 17:31 – Updated: 2024-10-31 14:50
VLAI?
Summary
The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
  • This impact of this vulnerability includes the theoretical possibility of bypassing table access controls. The attacker cannot actively make queries, but may observe the results of queries by other clients, even though the attacker does not have permission to access that data.
Assigner
References
Impacted products
Vendor Product Version
TIBCO Software Inc. TIBCO ActiveSpaces - Enterprise Edition Affected: 4.4.0 , ≤ 4.9.0 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1137",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-13T15:02:45.990494Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T14:50:46.546Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:26:30.510Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "TIBCO ActiveSpaces - Enterprise Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "4.9.0",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\u003c/p\u003e"
            }
          ],
          "value": "The Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "This impact of this vulnerability includes the theoretical possibility of bypassing table access controls.  The attacker cannot actively make queries, but may observe the results of queries by other clients, even though the attacker does not have permission to access that data.",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-12T17:31:19.481Z",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "url": "https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\u003c/p\u003e"
            }
          ],
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\n\n"
        }
      ],
      "title": "TIBCO ActiveSpaces Information Leak Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2024-1137",
    "datePublished": "2024-03-12T17:31:19.481Z",
    "dateReserved": "2024-01-31T20:34:27.115Z",
    "dateUpdated": "2024-10-31T14:50:46.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Los componentes Proxy y Cliente de TIBCO ActiveSpaces - Enterprise Edition de TIBCO Software Inc. contienen una vulnerabilidad que, en teor\\u00eda, permite a un cliente de Active Spaces observar pasivamente el tr\\u00e1fico de datos hacia otros clientes. Las versiones afectadas son TIBCO ActiveSpaces - Enterprise Edition de TIBCO Software Inc.: versiones 4.4.0 a 4.9.0.\"}]",
      "id": "CVE-2024-1137",
      "lastModified": "2024-11-21T08:49:52.723",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@tibco.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-03-12T18:15:07.110",
      "references": "[{\"url\": \"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\", \"source\": \"security@tibco.com\"}, {\"url\": \"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@tibco.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-1137\",\"sourceIdentifier\":\"security@tibco.com\",\"published\":\"2024-03-12T18:15:07.110\",\"lastModified\":\"2024-11-21T08:49:52.723\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Los componentes Proxy y Cliente de TIBCO ActiveSpaces - Enterprise Edition de TIBCO Software Inc. contienen una vulnerabilidad que, en teor\u00eda, permite a un cliente de Active Spaces observar pasivamente el tr\u00e1fico de datos hacia otros clientes. Las versiones afectadas son TIBCO ActiveSpaces - Enterprise Edition de TIBCO Software Inc.: versiones 4.4.0 a 4.9.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@tibco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\",\"source\":\"security@tibco.com\"},{\"url\":\"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unknown\", \"product\": \"TIBCO ActiveSpaces - Enterprise Edition\", \"vendor\": \"TIBCO Software Inc.\", \"versions\": [{\"lessThanOrEqual\": \"4.9.0\", \"status\": \"affected\", \"version\": \"4.4.0\", \"versionType\": \"semver\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003eThe Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\u003c/p\u003e\"}], \"value\": \"The Proxy and Client components of TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.\u0027s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.\\n\\n\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"This impact of this vulnerability includes the theoretical possibility of bypassing table access controls.  The attacker cannot actively make queries, but may observe the results of queries by other clients, even though the attacker does not have permission to access that data.\", \"lang\": \"en\"}]}], \"providerMetadata\": {\"orgId\": \"4f830c72-39e4-45f6-a99f-78cc01ae04db\", \"shortName\": \"tibco\", \"dateUpdated\": \"2024-03-12T17:31:19.481Z\"}, \"references\": [{\"url\": \"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\"}], \"solutions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\u003cp\u003eTIBCO has released updated versions of the affected components which address these issues.\u003c/p\u003e\u003cp\u003eTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\u003c/p\u003e\"}], \"value\": \"TIBCO has released updated versions of the affected components which address these issues.\\n\\nTIBCO ActiveSpaces - Enterprise Edition versions 4.4.0 through 4.9.0: update to version 4.9.1 or later\\n\\n\"}], \"title\": \"TIBCO ActiveSpaces Information Leak Vulnerability\"}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:26:30.510Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://community.tibco.com/advisories/tibco-security-advisory-march-12-2024-tibco-activespaces-cve-2024-1137-r208/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1137\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-13T15:02:45.990494Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:17.328Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-1137\", \"assignerOrgId\": \"4f830c72-39e4-45f6-a99f-78cc01ae04db\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"tibco\", \"dateReserved\": \"2024-01-31T20:34:27.115Z\", \"datePublished\": \"2024-03-12T17:31:19.481Z\", \"dateUpdated\": \"2024-10-31T14:50:46.546Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.