CVE-2025-3114 (GCVE-0-2025-3114)
Vulnerability from cvelistv5 – Published: 2025-04-09 17:29 – Updated: 2025-04-15 20:29
VLAI?
Summary
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.
Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Spotfire | Spotfire Enterprise Runtime for R |
Affected:
6 , ≤ 1.4
(Patch)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T18:03:07.615805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:29:11.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spotfire Enterprise Runtime for R",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "1.4",
"status": "affected",
"version": "6",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Statistics Services",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.6",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0"
},
{
"status": "affected",
"version": "14.2.0"
},
{
"status": "affected",
"version": "14.3.0"
},
{
"status": "affected",
"version": "14.4.0"
},
{
"status": "affected",
"version": "14.4.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Analyst",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.5",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Deployment Kit used in Spotfire Server",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "0.6",
"status": "affected",
"version": "14",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.1.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.2.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.3.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "14.4.1",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Spotfire Desktop",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "affected",
"version": "14",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire for AWS Marketplace",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "4.1",
"status": "unknown",
"version": "14",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unknown",
"product": "Spotfire Enterprise Runtime for R - Server Edition",
"vendor": "Spotfire",
"versions": [
{
"lessThanOrEqual": "17.6",
"status": "affected",
"version": "1",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.18.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.19.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.20.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.0",
"versionType": "Patch"
},
{
"status": "affected",
"version": "1.21.1",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-04-08T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003eCode Execution via Malicious Files:\u003c/strong\u003e\u0026nbsp;Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSandbox Bypass Vulnerability:\u003c/strong\u003e\u0026nbsp;A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.\u003c/p\u003e"
}
],
"value": "Code Execution via Malicious Files:\u00a0Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\n\nSandbox Bypass Vulnerability:\u00a0A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T17:29:48.612Z",
"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"shortName": "tibco"
},
"references": [
{
"url": "https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spotfire Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
"assignerShortName": "tibco",
"cveId": "CVE-2025-3114",
"datePublished": "2025-04-09T17:29:48.612Z",
"dateReserved": "2025-04-02T10:55:41.023Z",
"dateUpdated": "2025-04-15T20:29:11.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-3114\",\"sourceIdentifier\":\"security@tibco.com\",\"published\":\"2025-04-09T18:15:50.643\",\"lastModified\":\"2025-04-15T21:16:04.847\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Code Execution via Malicious Files:\u00a0Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\\n\\nSandbox Bypass Vulnerability:\u00a0A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.\"},{\"lang\":\"es\",\"value\":\"Ejecuci\u00f3n de c\u00f3digo mediante archivos maliciosos: Los atacantes pueden crear archivos especialmente manipulados con c\u00f3digo incrustado que puede ejecutarse sin la validaci\u00f3n de seguridad adecuada, lo que podr\u00eda comprometer el sistema. Vulnerabilidad de elusi\u00f3n de la zona de pruebas: Una falla en el mecanismo de seguridad TERR permite a los atacantes eludir las restricciones de la zona de pruebas, lo que permite la ejecuci\u00f3n de c\u00f3digo no confiable sin los controles adecuados.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@tibco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-693\"}]}],\"references\":[{\"url\":\"https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/\",\"source\":\"security@tibco.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3114\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-09T18:03:07.615805Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-693\", \"description\": \"CWE-693 Protection Mechanism Failure\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-09T18:14:43.893Z\"}}], \"cna\": {\"title\": \"Spotfire Code Execution Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spotfire\", \"product\": \"Spotfire Enterprise Runtime for R\", \"versions\": [{\"status\": \"affected\", \"version\": \"6\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"1.4\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Spotfire\", \"product\": \"Spotfire Statistics Services\", \"versions\": [{\"status\": \"affected\", \"version\": \"14\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"0.6\"}, {\"status\": \"affected\", \"version\": \"14.1.0\"}, {\"status\": \"affected\", \"version\": \"14.2.0\"}, {\"status\": \"affected\", \"version\": \"14.3.0\"}, {\"status\": \"affected\", \"version\": \"14.4.0\"}, {\"status\": \"affected\", \"version\": \"14.4.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Spotfire\", \"product\": \"Spotfire Analyst\", \"versions\": [{\"status\": \"affected\", \"version\": \"14\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"0.5\"}, {\"status\": \"affected\", \"version\": \"14.1.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.2.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.3.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.4.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.4.1\", \"versionType\": \"Patch\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Spotfire\", \"product\": \"Deployment Kit used in Spotfire Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"14\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"0.6\"}, {\"status\": \"affected\", \"version\": \"14.1.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.2.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.3.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.4.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"14.4.1\", \"versionType\": \"Patch\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Spotfire\", \"product\": \"Spotfire Desktop\", \"versions\": [{\"status\": \"affected\", \"version\": \"14\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"4.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Spotfire\", \"product\": \"Spotfire for AWS Marketplace\", \"versions\": [{\"status\": \"unknown\", \"version\": \"14\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"4.1\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Spotfire\", \"product\": \"Spotfire Enterprise Runtime for R - Server Edition\", \"versions\": [{\"status\": \"affected\", \"version\": \"1\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"17.6\"}, {\"status\": \"affected\", \"version\": \"1.18.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"1.19.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"1.20.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"1.21.0\", \"versionType\": \"Patch\"}, {\"status\": \"affected\", \"version\": \"1.21.1\", \"versionType\": \"Patch\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-04-08T16:30:00.000Z\", \"references\": [{\"url\": \"https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3114-r3484/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Code Execution via Malicious Files:\\u00a0Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\\n\\nSandbox Bypass Vulnerability:\\u00a0A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cstrong\u003eCode Execution via Malicious Files:\u003c/strong\u003e\u0026nbsp;Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSandbox Bypass Vulnerability:\u003c/strong\u003e\u0026nbsp;A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.\u003c/p\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"4f830c72-39e4-45f6-a99f-78cc01ae04db\", \"shortName\": \"tibco\", \"dateUpdated\": \"2025-04-09T17:29:48.612Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-3114\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T20:29:11.223Z\", \"dateReserved\": \"2025-04-02T10:55:41.023Z\", \"assignerOrgId\": \"4f830c72-39e4-45f6-a99f-78cc01ae04db\", \"datePublished\": \"2025-04-09T17:29:48.612Z\", \"assignerShortName\": \"tibco\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…