CVE-2021-43053 - OpenCVE

The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tibco	Ftl

Configuration 1 [-]

OR	cpe:2.3:a:tibco:ftl:::::community:::*
	cpe:2.3:a:tibco:ftl:::::developer:::*
	cpe:2.3:a:tibco:ftl:::::enterprise:::*

No data.

References

Link	Providers
https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053

History

No history.

MITRE

Status: PUBLISHED

Assigner: tibco

Published: 2022-01-11T18:25:26.263637Z

Updated: 2024-09-16T18:08:27.215Z

Reserved: 2021-10-27T00:00:00

Link: CVE-2021-43053

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-11T19:15:07.937

Modified: 2022-01-19T15:09:28.673

Link: CVE-2021-43053

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TIBCO FTL - Community Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO FTL - Developer Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO FTL - Enterprise Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-01-11T00:00:00", "descriptions": [{"lang": "en", "value": "The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing eFTL channel on the affected system.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-11T19:06:20", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO FTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"}], "source": {"discovery": "INTERNAL"}, "title": "TIBCO FTL Secret Exposure Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2022-01-11T17:00:00Z", "ID": "CVE-2021-43053", "STATE": "PUBLIC", "TITLE": "TIBCO FTL Secret Exposure Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO FTL - Community Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}, {"product_name": "TIBCO FTL - Developer Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}, {"product_name": "TIBCO FTL - Enterprise Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing eFTL channel on the affected system."}]}]}, "references": {"reference_data": [{"name": "https://www.tibco.com/services/support/advisories", "refsource": "CONFIRM", "url": "https://www.tibco.com/services/support/advisories"}, {"name": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO FTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO FTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:47:13.205Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"}]}]}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2021-43053", "datePublished": "2022-01-11T18:25:26.263637Z", "dateReserved": "2021-10-27T00:00:00", "dateUpdated": "2024-09-16T18:08:27.215Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:ftl:*:*:*:*:community:*:*:*", "matchCriteriaId": "E1F35EEF-4180-4D43-9FEE-656991213CC3", "versionEndIncluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:ftl:*:*:*:*:developer:*:*:*", "matchCriteriaId": "01B89903-810C-42C1-BD78-1618A24E482C", "versionEndIncluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:ftl:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "821B3499-6FB1-4B3A-99AF-A9CF397A1AA8", "versionEndIncluding": "6.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains a difficult to exploit vulnerability that allows an unauthenticated attacker with network access to obtain the cluster secret of another application connected to the realm server. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below."}, {"lang": "es", "value": "El componente Realm Server de TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, y TIBCO FTL - Enterprise Edition contiene una vulnerabilidad dif\u00edcil de explotar que permite a un atacante no autenticado con acceso a la red obtener el secreto del cluster de otra aplicaci\u00f3n conectada al servidor de reino. Las versiones afectadas son TIBCO FTL - Community Edition de TIBCO Software Inc.: versiones 6.7.2 y anteriores, TIBCO FTL - Developer Edition: versiones 6.7.2 y anteriores, y TIBCO FTL - Enterprise Edition: versiones 6.7.2 y anteriores"}], "id": "CVE-2021-43053", "lastModified": "2022-01-19T15:09:28.673", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2022-01-11T19:15:07.937", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43053"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}