CVE-2021-43054 - OpenCVE

The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains an easily exploitable vulnerability that allows a low privileged attacker with network access to generate API tokens that can access any other channel with arbitrary permissions. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.7.2 and below, TIBCO eFTL - Developer Edition: versions 6.7.2 and below, and TIBCO eFTL - Enterprise Edition: versions 6.7.2 and below.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tibco	Eftl

Configuration 1 [-]

OR	cpe:2.3:a:tibco:eftl:::::community:::*
	cpe:2.3:a:tibco:eftl:::::developer:::*
	cpe:2.3:a:tibco:eftl:::::enterprise:::*

No data.

References

Link	Providers
https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054

History

No history.

MITRE

Status: PUBLISHED

Assigner: tibco

Published: 2022-01-11T18:25:27.550089Z

Updated: 2024-09-17T02:11:55.506Z

Reserved: 2021-10-27T00:00:00

Link: CVE-2021-43054

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-11T19:15:07.987

Modified: 2022-01-19T15:11:01.853

Link: CVE-2021-43054

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TIBCO eFTL - Community Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO eFTL - Developer Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO eFTL - Enterprise Edition", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "6.7.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-01-11T00:00:00", "descriptions": [{"lang": "en", "value": "The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains an easily exploitable vulnerability that allows a low privileged attacker with network access to generate API tokens that can access any other channel with arbitrary permissions. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.7.2 and below, TIBCO eFTL - Developer Edition: versions 6.7.2 and below, and TIBCO eFTL - Enterprise Edition: versions 6.7.2 and below."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing channel on the affected system.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-11T19:06:18", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO eFTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO eFTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO eFTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"}], "source": {"discovery": "INTERNAL"}, "title": "TIBCO eFTL Token Generation Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2022-01-11T17:00:00Z", "ID": "CVE-2021-43054", "STATE": "PUBLIC", "TITLE": "TIBCO eFTL Token Generation Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO eFTL - Community Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}, {"product_name": "TIBCO eFTL - Developer Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}, {"product_name": "TIBCO eFTL - Enterprise Edition", "version": {"version_data": [{"version_affected": "<=", "version_value": "6.7.2"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains an easily exploitable vulnerability that allows a low privileged attacker with network access to generate API tokens that can access any other channel with arbitrary permissions. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.7.2 and below, TIBCO eFTL - Developer Edition: versions 6.7.2 and below, and TIBCO eFTL - Enterprise Edition: versions 6.7.2 and below."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Successful execution of this vulnerability can result in an attacker gaining full access to communication on an existing channel on the affected system."}]}]}, "references": {"reference_data": [{"name": "https://www.tibco.com/services/support/advisories", "refsource": "CONFIRM", "url": "https://www.tibco.com/services/support/advisories"}, {"name": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO eFTL - Community Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO eFTL - Developer Edition versions 6.7.2 and below update to version 6.7.3 or later\nTIBCO eFTL - Enterprise Edition versions 6.7.2 and below update to version 6.7.3 or later"}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:47:13.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054"}]}]}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2021-43054", "datePublished": "2022-01-11T18:25:27.550089Z", "dateReserved": "2021-10-27T00:00:00", "dateUpdated": "2024-09-17T02:11:55.506Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:eftl:*:*:*:*:community:*:*:*", "matchCriteriaId": "03ACBE3F-6FC8-4F79-9B26-80BBDDACF24E", "versionEndIncluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:eftl:*:*:*:*:developer:*:*:*", "matchCriteriaId": "8AA36B2D-C7B9-4866-A350-6C251E662BF7", "versionEndIncluding": "6.7.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:eftl:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CF0E1715-61DB-4B7B-9B31-5363005DCB0C", "versionEndIncluding": "6.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contains an easily exploitable vulnerability that allows a low privileged attacker with network access to generate API tokens that can access any other channel with arbitrary permissions. Affected releases are TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versions 6.7.2 and below, TIBCO eFTL - Developer Edition: versions 6.7.2 and below, and TIBCO eFTL - Enterprise Edition: versions 6.7.2 and below."}, {"lang": "es", "value": "El componente eFTL Server de TIBCO Software Inc.'s TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, y TIBCO eFTL - Enterprise Edition contiene una vulnerabilidad f\u00e1cilmente explotable que permite a un atacante con pocos privilegios y acceso a la red generar tokens de API que pueden acceder a cualquier otro canal con permisos arbitrarios. Las versiones afectadas son TIBCO Software Inc.'s TIBCO eFTL - Community Edition: versiones 6.7.2 y anteriores, TIBCO eFTL - Developer Edition: versiones 6.7.2 y anteriores, y TIBCO eFTL - Enterprise Edition: versiones 6.7.2 y anteriores"}], "id": "CVE-2021-43054", "lastModified": "2022-01-19T15:11:01.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2022-01-11T19:15:07.987", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-eftl-2021-43054"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}