Multiple vulnerabilities in TIBCO Enterprise Runtime and Spotfire
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-11211 CVE-2019-11210 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
TIBCO Spotfire for AWS Server applications / Other server solutions TIBCO Enterprise Runtime for R - Server Edition Server applications / Other server solutions |
| Vendor | TIBCO |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU21210
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11211
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to unspecified error. A remote authenticated attacker can execute arbitrary code on the target system.
Install updates from vendor's website.
Vulnerable software versionsTIBCO Spotfire for AWS: 10.4.0 - 10.5.0
TIBCO Enterprise Runtime for R - Server Edition: 1.1.0 - 1.2.0
CPE2.3- cpe:2.3:a:tibco:TIBCO Spotfire Analytics Platform for AWS Marketplace:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:TIBCO Spotfire Analytics Platform for AWS Marketplace:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:tibco_enterprise_runtime_for_r_-_server_edition:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:tibco_enterprise_runtime_for_r_-_server_edition:1.2.0:*:*:*:*:*:*:*
https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2019/09/tibco-security-advisory-september-17-2019-tibco-enterprise-runtime-for-r-server-2019-11211
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU21212
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-11210
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to unspecified error. A remote unauthenticated attacker can execute arbitrary code on the target system and gain full control of the operating system account hosting the affected component.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTIBCO Spotfire for AWS: 10.4.0 - 10.5.0
TIBCO Enterprise Runtime for R - Server Edition: 1.1.0 - 1.2.0
CPE2.3- cpe:2.3:a:tibco:TIBCO Spotfire Analytics Platform for AWS Marketplace:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:TIBCO Spotfire Analytics Platform for AWS Marketplace:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:tibco_enterprise_runtime_for_r_-_server_edition:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:tibco_enterprise_runtime_for_r_-_server_edition:1.2.0:*:*:*:*:*:*:*
https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2019/09/tibco-security-advisory-september-17-2019-tibco-enterprise-runtime-for-r-server-2019-11210
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
