Vulnerability-Lookup

GHSA-8FR4-XH7C-MQ37

Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2022-01-20 00:02

Details

The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-43053"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Realm Server component of TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.",
  "id": "GHSA-8fr4-xh7c-mq37",
  "modified": "2022-01-20T00:02:40Z",
  "published": "2022-01-12T00:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43053"
    },
    {
      "type": "WEB",
      "url": "https://www.tibco.com/services/support/advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-43053 (GCVE-0-2021-43053)

Vulnerability from cvelistv5 – Published: 2022-01-11 18:25 – Updated: 2024-09-16 18:08

Title

TIBCO FTL Secret Exposure Vulnerability

Summary

Severity

8.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWE

Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing eFTL channel on the affected system.

Assigner

tibco

References

2 references

URL	Tags
https://www.tibco.com/services/support/advisories	x_refsource_CONFIRM
https://www.tibco.com/support/advisories/2022/01/…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
TIBCO Software Inc.	TIBCO FTL - Community Edition	Affected: unspecified , ≤ 6.7.2 (custom)
TIBCO Software Inc.	TIBCO FTL - Developer Edition	Affected: unspecified , ≤ 6.7.2 (custom)
TIBCO Software Inc.	TIBCO FTL - Enterprise Edition	Affected: unspecified , ≤ 6.7.2 (custom)

Date Public

2022-01-11 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:47:13.205Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/services/support/advisories"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO FTL - Community Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.7.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TIBCO FTL - Developer Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.7.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TIBCO FTL - Enterprise Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "lessThanOrEqual": "6.7.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-01-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Realm Server component of TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing eFTL channel on the affected system.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-11T19:06:20.000Z",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tibco.com/services/support/advisories"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO FTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TIBCO FTL Secret Exposure Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2022-01-11T17:00:00Z",
          "ID": "CVE-2021-43053",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO FTL Secret Exposure Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO FTL - Community Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.7.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO FTL - Developer Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.7.2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO FTL - Enterprise Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "6.7.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Realm Server component of TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.\u0027s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing eFTL channel on the affected system."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tibco.com/services/support/advisories",
              "refsource": "CONFIRM",
              "url": "https://www.tibco.com/services/support/advisories"
            },
            {
              "name": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053",
              "refsource": "CONFIRM",
              "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO FTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"
          }
        ],
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2021-43053",
    "datePublished": "2022-01-11T18:25:26.263Z",
    "dateReserved": "2021-10-27T00:00:00.000Z",
    "dateUpdated": "2024-09-16T18:08:27.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-8FR4-XH7C-MQ37

CVE-2021-43053 (GCVE-0-2021-43053)

Tags

Sightings

Nomenclature