cnvd - cnvd-2020-12703

CNVD-2020-12703

Vulnerability from cnvd - Published: 2020-02-19

Title

TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server信息泄露漏洞（CNVD-2020-12703）

Description

TIBCO Spotfire Analytics Platform for AWS Marketplace是一套为在线软件商店AWS Marketplace提供数据可视化分析的平台。TIBCO Spotfire Server是一款智能、安全、灵活且可扩展的工具，可提供数据可视化、发现、整理和预测分析功能。 TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server的数据访问层组件存在信息泄露漏洞，攻击者可利用该漏洞越权访问从数据源或数据源的一部分缓存的数据。

Severity

中

Patch Name

TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server信息泄露漏洞（CNVD-2020-12703）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-17335

Impacted products

Name
['TIBCO Spotfire Server <=7.11.7', 'TIBCO Spotfire Server 7.12.0', 'TIBCO Spotfire Server 7.13.0', 'TIBCO Spotfire Server 7.14.0', 'TIBCO Spotfire Server 10.0.0', 'TIBCO Spotfire Server 10.0.1', 'TIBCO Spotfire Server 10.1.0', 'TIBCO Spotfire Server 10.2.0', 'TIBCO Spotfire Server 10.2.1', 'TIBCO Spotfire Server 10.3.0', 'TIBCO Spotfire Server 10.3.1', 'TIBCO Spotfire Server 10.3.2', 'TIBCO Spotfire Server 10.3.3', 'TIBCO Spotfire Server 10.3.4', 'TIBCO Spotfire Server 10.4.0', 'TIBCO Spotfire Server 10.5.0', 'TIBCO Spotfire Server 10.6.0', 'TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0']

Name

['TIBCO Spotfire Server <=7.11.7', 'TIBCO Spotfire Server 7.12.0', 'TIBCO Spotfire Server 7.13.0', 'TIBCO Spotfire Server 7.14.0', 'TIBCO Spotfire Server 10.0.0', 'TIBCO Spotfire Server 10.0.1', 'TIBCO Spotfire Server 10.1.0', 'TIBCO Spotfire Server 10.2.0', 'TIBCO Spotfire Server 10.2.1', 'TIBCO Spotfire Server 10.3.0', 'TIBCO Spotfire Server 10.3.1', 'TIBCO Spotfire Server 10.3.2', 'TIBCO Spotfire Server 10.3.3', 'TIBCO Spotfire Server 10.3.4', 'TIBCO Spotfire Server 10.4.0', 'TIBCO Spotfire Server 10.5.0', 'TIBCO Spotfire Server 10.6.0', 'TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-17335",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-17335"
    }
  },
  "description": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u662f\u4e00\u5957\u4e3a\u5728\u7ebf\u8f6f\u4ef6\u5546\u5e97AWS Marketplace\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u5206\u6790\u7684\u5e73\u53f0\u3002TIBCO Spotfire Server\u662f\u4e00\u6b3e\u667a\u80fd\u3001\u5b89\u5168\u3001\u7075\u6d3b\u4e14\u53ef\u6269\u5c55\u7684\u5de5\u5177\uff0c\u53ef\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u3001\u53d1\u73b0\u3001\u6574\u7406\u548c\u9884\u6d4b\u5206\u6790\u529f\u80fd\u3002\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u7684\u6570\u636e\u8bbf\u95ee\u5c42\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8d8a\u6743\u8bbf\u95ee\u4ece\u6570\u636e\u6e90\u6216\u6570\u636e\u6e90\u7684\u4e00\u90e8\u5206\u7f13\u5b58\u7684\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-12703",
  "openTime": "2020-02-19",
  "patchDescription": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u662f\u4e00\u5957\u4e3a\u5728\u7ebf\u8f6f\u4ef6\u5546\u5e97AWS Marketplace\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u5206\u6790\u7684\u5e73\u53f0\u3002TIBCO Spotfire Server\u662f\u4e00\u6b3e\u667a\u80fd\u3001\u5b89\u5168\u3001\u7075\u6d3b\u4e14\u53ef\u6269\u5c55\u7684\u5de5\u5177\uff0c\u53ef\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u3001\u53d1\u73b0\u3001\u6574\u7406\u548c\u9884\u6d4b\u5206\u6790\u529f\u80fd\u3002\r\n\r\nTIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u7684\u6570\u636e\u8bbf\u95ee\u5c42\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8d8a\u6743\u8bbf\u95ee\u4ece\u6570\u636e\u6e90\u6216\u6570\u636e\u6e90\u7684\u4e00\u90e8\u5206\u7f13\u5b58\u7684\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-12703\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TIBCO Spotfire Server \u003c=7.11.7",
      "TIBCO Spotfire Server 7.12.0",
      "TIBCO Spotfire Server 7.13.0",
      "TIBCO Spotfire Server 7.14.0",
      "TIBCO Spotfire Server 10.0.0",
      "TIBCO Spotfire Server 10.0.1",
      "TIBCO Spotfire Server 10.1.0",
      "TIBCO Spotfire Server 10.2.0",
      "TIBCO Spotfire Server 10.2.1",
      "TIBCO Spotfire Server 10.3.0",
      "TIBCO Spotfire Server 10.3.1",
      "TIBCO Spotfire Server 10.3.2",
      "TIBCO Spotfire Server 10.3.3",
      "TIBCO Spotfire Server 10.3.4",
      "TIBCO Spotfire Server 10.4.0",
      "TIBCO Spotfire Server 10.5.0",
      "TIBCO Spotfire Server 10.6.0",
      "TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-17335",
  "serverity": "\u4e2d",
  "submitTime": "2019-12-18",
  "title": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-12703\uff09"
}

CVE-2019-17335 (GCVE-0-2019-17335)

Vulnerability from cvelistv5 – Published: 2019-12-17 20:55 – Updated: 2024-09-16 20:58

Summary

The Data access layer component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains multiple vulnerabilities that theoretically allow an attacker access to data cached from a data source, or a portion of a data source, that the attacker should not have access to. The attacker would need privileges to save a Spotfire file to the library. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

The impact of this vulnerability includes the theoretical possibility that the attacker could gain unauthorized access to data that other users have recently viewed.

Assigner

tibco

References

URL

Tags

	http://www.tibco.com/services/support/advisories	x_refsource_MISC
	https://www.tibco.com/support/advisories/2019/12/…	x_refsource_MISC

Impacted products

Vendor

Product

Version

TIBCO Software Inc.

TIBCO Spotfire Analytics Platform for AWS Marketplace

Affected: 10.6.0

TIBCO Software Inc.

TIBCO Spotfire Server

Affected: unspecified , ≤ 7.11.7 (custom)
Affected: 7.12.0
Affected: 7.13.0
Affected: 7.14.0
Affected: 10.0.0
Affected: 10.0.1
Affected: 10.1.0
Affected: 10.2.0
Affected: 10.2.1
Affected: 10.3.0
Affected: 10.3.1
Affected: 10.3.2
Affected: 10.3.3
Affected: 10.3.4
Affected: 10.4.0
Affected: 10.5.0
Affected: 10.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:40:14.503Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO Spotfire Analytics Platform for AWS Marketplace",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "10.6.0"
            }
          ]
        },
        {
          "product": "TIBCO Spotfire Server",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "7.11.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "7.12.0"
            },
            {
              "status": "affected",
              "version": "7.13.0"
            },
            {
              "status": "affected",
              "version": "7.14.0"
            },
            {
              "status": "affected",
              "version": "10.0.0"
            },
            {
              "status": "affected",
              "version": "10.0.1"
            },
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.2.0"
            },
            {
              "status": "affected",
              "version": "10.2.1"
            },
            {
              "status": "affected",
              "version": "10.3.0"
            },
            {
              "status": "affected",
              "version": "10.3.1"
            },
            {
              "status": "affected",
              "version": "10.3.2"
            },
            {
              "status": "affected",
              "version": "10.3.3"
            },
            {
              "status": "affected",
              "version": "10.3.4"
            },
            {
              "status": "affected",
              "version": "10.4.0"
            },
            {
              "status": "affected",
              "version": "10.5.0"
            },
            {
              "status": "affected",
              "version": "10.6.0"
            }
          ]
        }
      ],
      "datePublic": "2019-12-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Data access layer component of TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains multiple vulnerabilities that theoretically allow an attacker access to data cached from a data source, or a portion of a data source, that the attacker should not have access to. The attacker would need privileges to save a Spotfire file to the library. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The impact of this vulnerability includes the theoretical possibility that the attacker could gain unauthorized access to data that other users have recently viewed.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-12-17T20:55:17",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.tibco.com/services/support/advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update to version 10.6.1 or higher\nTIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to version 10.3.5 or higher\nTIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version 10.6.1 or higher"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TIBCO Spotfire Server Exposes User-Specific Cached Data To Others Users",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2019-12-17T17:00:00Z",
          "ID": "CVE-2019-17335",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO Spotfire Server Exposes User-Specific Cached Data To Others Users"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO Spotfire Analytics Platform for AWS Marketplace",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "10.6.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Spotfire Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "7.11.7"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.12.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.13.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.14.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.0.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.1.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.2.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.2.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.3"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.4"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.4.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.5.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Data access layer component of TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains multiple vulnerabilities that theoretically allow an attacker access to data cached from a data source, or a portion of a data source, that the attacker should not have access to. The attacker would need privileges to save a Spotfire file to the library. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The impact of this vulnerability includes the theoretical possibility that the attacker could gain unauthorized access to data that other users have recently viewed."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.tibco.com/services/support/advisories",
              "refsource": "MISC",
              "url": "http://www.tibco.com/services/support/advisories"
            },
            {
              "name": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335",
              "refsource": "MISC",
              "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17335"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update to version 10.6.1 or higher\nTIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to version 10.3.5 or higher\nTIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version 10.6.1 or higher"
          }
        ],
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2019-17335",
    "datePublished": "2019-12-17T20:55:17.568949Z",
    "dateReserved": "2019-10-07T00:00:00",
    "dateUpdated": "2024-09-16T20:58:01.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-12703

CVE-2019-17335 (GCVE-0-2019-17335)

Tags

Sightings

Nomenclature