Vulnerability-Lookup

CNVD-2020-48991

Vulnerability from cnvd - Published: 2020-08-28

Title

TIBCO Software Data Virtualization任意文件下载漏洞

Description

TIBCO Software Data Virtualization是一款企业数据虚拟化解决方案。 TIBCO Software Data Virtualization中的TIBCO Data Virtualization Server组件存在任意文件下载漏洞，远程攻击者可利用该漏洞提交特殊的请求，下载系统任意文件。

Severity

中

Patch Name

TIBCO Software Data Virtualization任意文件下载漏洞的补丁

Patch Description

TIBCO Software Data Virtualization是一款企业数据虚拟化解决方案。 TIBCO Software Data Virtualization中的TIBCO Data Virtualization Server组件存在任意文件下载漏洞，远程攻击者可利用该漏洞提交特殊的请求，下载系统任意文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization

Reference

https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization

Impacted products

Name
['TIBCO Software Data Virtualization <=7.0.8', 'TIBCO Software Data Virtualization 8.0.0', 'TIBCO Software Data Virtualization 8.1.0', 'TIBCO Software Data Virtualization 8.1.1', 'TIBCO Software Data Virtualization 8.2.0', 'TIBCO Software Data Virtualization for AWS Marketplace <=8.2.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-9415",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-9415"
    }
  },
  "description": "TIBCO Software Data Virtualization\u662f\u4e00\u6b3e\u4f01\u4e1a\u6570\u636e\u865a\u62df\u5316\u89e3\u51b3\u65b9\u6848\u3002\n\nTIBCO Software Data Virtualization\u4e2d\u7684TIBCO Data Virtualization Server\u7ec4\u4ef6\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u4e0b\u8f7d\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-48991",
  "openTime": "2020-08-28",
  "patchDescription": "TIBCO Software Data Virtualization\u662f\u4e00\u6b3e\u4f01\u4e1a\u6570\u636e\u865a\u62df\u5316\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nTIBCO Software Data Virtualization\u4e2d\u7684TIBCO Data Virtualization Server\u7ec4\u4ef6\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u4e0b\u8f7d\u7cfb\u7edf\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TIBCO Software Data Virtualization\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TIBCO Software Data Virtualization \u003c=7.0.8",
      "TIBCO Software Data Virtualization 8.0.0",
      "TIBCO Software Data Virtualization 8.1.0",
      "TIBCO Software Data Virtualization 8.1.1",
      "TIBCO Software Data Virtualization 8.2.0",
      "TIBCO Software Data Virtualization for AWS Marketplace \u003c=8.2.0"
    ]
  },
  "referenceLink": "https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-24",
  "title": "TIBCO Software Data Virtualization\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u6f0f\u6d1e"
}

CVE-2020-9415 (GCVE-0-2020-9415)

Vulnerability from cvelistv5 – Published: 2020-08-18 18:50 – Updated: 2024-09-16 17:04

Title

TIBCO Data Virtualization

Summary

The TIBCO Data Virtualization Server component of TIBCO Software Inc.'s TIBCO Data Virtualization and TIBCO Data Virtualization for AWS Marketplace contains a vulnerability that theoretically allows a malicious authenticated user to download any arbitrary file from the affected system. The user must be authenticated and have privileges required to monitor the server in an operational capacity. Affected releases are TIBCO Software Inc.'s TIBCO Data Virtualization: versions 7.0.8 and below, versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 and TIBCO Data Virtualization for AWS Marketplace: versions 8.2.0 and below.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

The impact of these vulnerabilities includes the theoretical possibility that a malicious user could exfiltrate any data file on the affected system. The malicious user cannot modify or delete any files on the affected system with this vulnerability.

Assigner

tibco

References

2 references

URL	Tags
http://www.tibco.com/services/support/advisories	x_refsource_CONFIRM
https://www.tibco.com/support/advisories/2020/08/…	x_refsource_CONFIRM

Impacted products

2 products

Vendor	Product	Version
TIBCO Software Inc.	TIBCO Data Virtualization	Affected: unspecified , ≤ 7.0.8 (custom) Affected: 8.0.0 Affected: 8.1.0 Affected: 8.1.1 Affected: 8.2.0
TIBCO Software Inc.	TIBCO Data Virtualization for AWS Marketplace	Affected: unspecified , ≤ 8.2.0 (custom)

Date Public

2020-08-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:26:16.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.tibco.com/services/support/advisories"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO Data Virtualization",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "7.0.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "8.0.0"
            },
            {
              "status": "affected",
              "version": "8.1.0"
            },
            {
              "status": "affected",
              "version": "8.1.1"
            },
            {
              "status": "affected",
              "version": "8.2.0"
            }
          ]
        },
        {
          "product": "TIBCO Data Virtualization for AWS Marketplace",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "8.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-08-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The TIBCO Data Virtualization Server component of TIBCO Software Inc.\u0027s TIBCO Data Virtualization and TIBCO Data Virtualization for AWS Marketplace contains a vulnerability that theoretically allows a malicious authenticated user to download any arbitrary file from the affected system. The user must be authenticated and have privileges required to monitor the server in an operational capacity. Affected releases are TIBCO Software Inc.\u0027s TIBCO Data Virtualization: versions 7.0.8 and below, versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 and TIBCO Data Virtualization for AWS Marketplace: versions 8.2.0 and below."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The impact of these vulnerabilities includes the theoretical possibility that a malicious user could exfiltrate any data file on the affected system. The malicious user cannot modify or delete any files on the affected system with this vulnerability.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-18T19:06:03.000Z",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.tibco.com/services/support/advisories"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\n TIBCO Data Virtualization versions 7.0.8 and below update to version 7.0.9 or higher\n TIBCO Data Virtualization versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 update to version 8.3.0 or higher\n TIBCO Data Virtualization for AWS Marketplace versions 8.2.0 and below update to version 8.3.0 or higher"
        }
      ],
      "source": {
        "discovery": "USER"
      },
      "title": "TIBCO Data Virtualization",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2020-08-18T17:00:00Z",
          "ID": "CVE-2020-9415",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO Data Virtualization"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO Data Virtualization",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "7.0.8"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "8.0.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "8.1.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "8.1.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "8.2.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Data Virtualization for AWS Marketplace",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "8.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The TIBCO Data Virtualization Server component of TIBCO Software Inc.\u0027s TIBCO Data Virtualization and TIBCO Data Virtualization for AWS Marketplace contains a vulnerability that theoretically allows a malicious authenticated user to download any arbitrary file from the affected system. The user must be authenticated and have privileges required to monitor the server in an operational capacity. Affected releases are TIBCO Software Inc.\u0027s TIBCO Data Virtualization: versions 7.0.8 and below, versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 and TIBCO Data Virtualization for AWS Marketplace: versions 8.2.0 and below."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The impact of these vulnerabilities includes the theoretical possibility that a malicious user could exfiltrate any data file on the affected system. The malicious user cannot modify or delete any files on the affected system with this vulnerability."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.tibco.com/services/support/advisories",
              "refsource": "CONFIRM",
              "url": "http://www.tibco.com/services/support/advisories"
            },
            {
              "name": "https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization",
              "refsource": "CONFIRM",
              "url": "https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "TIBCO has released updated versions of the affected components which address these issues.\n\n TIBCO Data Virtualization versions 7.0.8 and below update to version 7.0.9 or higher\n TIBCO Data Virtualization versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 update to version 8.3.0 or higher\n TIBCO Data Virtualization for AWS Marketplace versions 8.2.0 and below update to version 8.3.0 or higher"
          }
        ],
        "source": {
          "discovery": "USER"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2020-9415",
    "datePublished": "2020-08-18T18:50:11.750Z",
    "dateReserved": "2020-02-26T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:04:04.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-48991

CVE-2020-9415 (GCVE-0-2020-9415)

Tags

Sightings

Nomenclature