cnvd - cnvd-2020-12705

CNVD-2020-12705

Vulnerability from cnvd - Published: 2020-02-19

Title

TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server跨站脚本漏洞

Description

TIBCO Spotfire Analytics Platform for AWS Marketplace是一套为在线软件商店AWS Marketplace提供数据可视化分析的平台。TIBCO Spotfire Server是一款智能、安全、灵活且可扩展的工具，可提供数据可视化、发现、整理和预测分析功能。 TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server的Spotfire library组件存在跨站脚本漏洞，攻击者可利用该漏洞执行客户端代码。

Severity

中

Patch Name

TIBCO Spotfire Analytics Platform for AWS Marketplace和TIBCO Spotfire Server跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-17337

Impacted products

Name
['TIBCO Spotfire Server <=7.11.7', 'TIBCO Spotfire Server 7.12.0', 'TIBCO Spotfire Server 7.13.0', 'TIBCO Spotfire Server 7.14.0', 'TIBCO Spotfire Server 10.0.0', 'TIBCO Spotfire Server 10.0.1', 'TIBCO Spotfire Server 10.1.0', 'TIBCO Spotfire Server 10.2.0', 'TIBCO Spotfire Server 10.2.1', 'TIBCO Spotfire Server 10.3.0', 'TIBCO Spotfire Server 10.3.1', 'TIBCO Spotfire Server 10.3.2', 'TIBCO Spotfire Server 10.3.3', 'TIBCO Spotfire Server 10.3.4', 'TIBCO Spotfire Server 10.4.0', 'TIBCO Spotfire Server 10.5.0', 'TIBCO Spotfire Server 10.6.0', 'TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0']

Name

['TIBCO Spotfire Server <=7.11.7', 'TIBCO Spotfire Server 7.12.0', 'TIBCO Spotfire Server 7.13.0', 'TIBCO Spotfire Server 7.14.0', 'TIBCO Spotfire Server 10.0.0', 'TIBCO Spotfire Server 10.0.1', 'TIBCO Spotfire Server 10.1.0', 'TIBCO Spotfire Server 10.2.0', 'TIBCO Spotfire Server 10.2.1', 'TIBCO Spotfire Server 10.3.0', 'TIBCO Spotfire Server 10.3.1', 'TIBCO Spotfire Server 10.3.2', 'TIBCO Spotfire Server 10.3.3', 'TIBCO Spotfire Server 10.3.4', 'TIBCO Spotfire Server 10.4.0', 'TIBCO Spotfire Server 10.5.0', 'TIBCO Spotfire Server 10.6.0', 'TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-17337",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-17337"
    }
  },
  "description": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u662f\u4e00\u5957\u4e3a\u5728\u7ebf\u8f6f\u4ef6\u5546\u5e97AWS Marketplace\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u5206\u6790\u7684\u5e73\u53f0\u3002TIBCO Spotfire Server\u662f\u4e00\u6b3e\u667a\u80fd\u3001\u5b89\u5168\u3001\u7075\u6d3b\u4e14\u53ef\u6269\u5c55\u7684\u5de5\u5177\uff0c\u53ef\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u3001\u53d1\u73b0\u3001\u6574\u7406\u548c\u9884\u6d4b\u5206\u6790\u529f\u80fd\u3002\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u7684Spotfire library\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-12705",
  "openTime": "2020-02-19",
  "patchDescription": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u662f\u4e00\u5957\u4e3a\u5728\u7ebf\u8f6f\u4ef6\u5546\u5e97AWS Marketplace\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u5206\u6790\u7684\u5e73\u53f0\u3002TIBCO Spotfire Server\u662f\u4e00\u6b3e\u667a\u80fd\u3001\u5b89\u5168\u3001\u7075\u6d3b\u4e14\u53ef\u6269\u5c55\u7684\u5de5\u5177\uff0c\u53ef\u63d0\u4f9b\u6570\u636e\u53ef\u89c6\u5316\u3001\u53d1\u73b0\u3001\u6574\u7406\u548c\u9884\u6d4b\u5206\u6790\u529f\u80fd\u3002\r\n\r\nTIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u7684Spotfire library\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TIBCO Spotfire Server \u003c=7.11.7",
      "TIBCO Spotfire Server 7.12.0",
      "TIBCO Spotfire Server 7.13.0",
      "TIBCO Spotfire Server 7.14.0",
      "TIBCO Spotfire Server 10.0.0",
      "TIBCO Spotfire Server 10.0.1",
      "TIBCO Spotfire Server 10.1.0",
      "TIBCO Spotfire Server 10.2.0",
      "TIBCO Spotfire Server 10.2.1",
      "TIBCO Spotfire Server 10.3.0",
      "TIBCO Spotfire Server 10.3.1",
      "TIBCO Spotfire Server 10.3.2",
      "TIBCO Spotfire Server 10.3.3",
      "TIBCO Spotfire Server 10.3.4",
      "TIBCO Spotfire Server 10.4.0",
      "TIBCO Spotfire Server 10.5.0",
      "TIBCO Spotfire Server 10.6.0",
      "TIBCO Spotfire Analytics Platform for AWS Marketplace 10.6.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-17337",
  "serverity": "\u4e2d",
  "submitTime": "2019-12-18",
  "title": "TIBCO Spotfire Analytics Platform for AWS Marketplace\u548cTIBCO Spotfire Server\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2019-17337 (GCVE-0-2019-17337)

Vulnerability from cvelistv5 – Published: 2019-12-17 20:55 – Updated: 2024-09-16 21:02

Summary

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker to perform a reflected cross-site scripting (XSS) attack. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0.

Severity ?

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

The impact of the vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component.

Assigner

tibco

References

URL

Tags

	http://www.tibco.com/services/support/advisories	x_refsource_MISC
	https://www.tibco.com/support/advisories/2019/12/…	x_refsource_MISC

Impacted products

Vendor

Product

Version

TIBCO Software Inc.

TIBCO Spotfire Analytics Platform for AWS Marketplace

Affected: 10.6.0

TIBCO Software Inc.

TIBCO Spotfire Server

Affected: unspecified , ≤ 7.11.7 (custom)
Affected: 7.12.0
Affected: 7.13.0
Affected: 7.14.0
Affected: 10.0.0
Affected: 10.0.1
Affected: 10.1.0
Affected: 10.2.0
Affected: 10.2.1
Affected: 10.3.0
Affected: 10.3.1
Affected: 10.3.2
Affected: 10.3.3
Affected: 10.3.4
Affected: 10.4.0
Affected: 10.5.0
Affected: 10.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:40:14.494Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO Spotfire Analytics Platform for AWS Marketplace",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "10.6.0"
            }
          ]
        },
        {
          "product": "TIBCO Spotfire Server",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "7.11.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "7.12.0"
            },
            {
              "status": "affected",
              "version": "7.13.0"
            },
            {
              "status": "affected",
              "version": "7.14.0"
            },
            {
              "status": "affected",
              "version": "10.0.0"
            },
            {
              "status": "affected",
              "version": "10.0.1"
            },
            {
              "status": "affected",
              "version": "10.1.0"
            },
            {
              "status": "affected",
              "version": "10.2.0"
            },
            {
              "status": "affected",
              "version": "10.2.1"
            },
            {
              "status": "affected",
              "version": "10.3.0"
            },
            {
              "status": "affected",
              "version": "10.3.1"
            },
            {
              "status": "affected",
              "version": "10.3.2"
            },
            {
              "status": "affected",
              "version": "10.3.3"
            },
            {
              "status": "affected",
              "version": "10.3.4"
            },
            {
              "status": "affected",
              "version": "10.4.0"
            },
            {
              "status": "affected",
              "version": "10.5.0"
            },
            {
              "status": "affected",
              "version": "10.6.0"
            }
          ]
        }
      ],
      "datePublic": "2019-12-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Spotfire library component of TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker to perform a reflected cross-site scripting (XSS) attack. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The impact of the vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-12-17T20:55:18",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.tibco.com/services/support/advisories"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update to version 10.6.1 or higher\nTIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to version 10.3.5 or higher\nTIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version 10.6.1 or higher"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TIBCO Spotfire Server Library Vulnerable to Reflected Cross-Site Scripting",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2019-12-17T17:00:00Z",
          "ID": "CVE-2019-17337",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO Spotfire Server Library Vulnerable to Reflected Cross-Site Scripting"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO Spotfire Analytics Platform for AWS Marketplace",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "10.6.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Spotfire Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "7.11.7"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.12.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.13.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "7.14.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.0.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.1.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.2.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.2.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.3"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.3.4"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.4.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.5.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "10.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Spotfire library component of TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker to perform a reflected cross-site scripting (XSS) attack. Affected releases are TIBCO Software Inc.\u0027s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The impact of the vulnerability includes the theoretical possibility that an attacker could gain full administrative access to the web interface of the affected component."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.tibco.com/services/support/advisories",
              "refsource": "MISC",
              "url": "http://www.tibco.com/services/support/advisories"
            },
            {
              "name": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337",
              "refsource": "MISC",
              "url": "https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17337"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Spotfire Analytics Platform for AWS Marketplace version 10.6.0 update to version 10.6.1 or higher\nTIBCO Spotfire Server versions 7.11.7 and below update to version 7.11.8 or higher\nTIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4 update to version 10.3.5 or higher\nTIBCO Spotfire Server versions 10.4.0, 10.5.0, and 10.6.0 update to version 10.6.1 or higher"
          }
        ],
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2019-17337",
    "datePublished": "2019-12-17T20:55:18.595101Z",
    "dateReserved": "2019-10-07T00:00:00",
    "dateUpdated": "2024-09-16T21:02:56.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-12705

CVE-2019-17337 (GCVE-0-2019-17337)

Tags

Sightings

Nomenclature