OpenCVE

The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tibco	Spotfire Analyst Spotfire Analytics Platform Spotfire Server

Configuration 1 [-]

OR	cpe:2.3:a:tibco:spotfire_analyst:12.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:12.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_analyst:12.5.0:::::::*
	cpe:2.3:a:tibco:spotfire_analytics_platform:12.5.0:::::aws_marketplace::
	cpe:2.3:a:tibco:spotfire_server:12.3.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:12.4.0:::::::*
	cpe:2.3:a:tibco:spotfire_server:12.5.0:::::::*

No data.

References

Link	Providers
https://www.tibco.com/services/support/advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: tibco

Published: 2023-11-08T19:44:03.634Z

Updated: 2024-09-04T15:46:47.013Z

Reserved: 2023-02-20T22:18:23.428Z

Link: CVE-2023-26221

Vulnrichment

Updated: 2024-08-02T11:46:23.940Z

NVD

Status : Modified

Published: 2023-11-08T20:15:07.313

Modified: 2024-11-21T07:50:56.717

Link: CVE-2023-26221

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26221", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "state": "PUBLISHED", "assignerShortName": "tibco", "dateReserved": "2023-02-20T22:18:23.428Z", "datePublished": "2023-11-08T19:44:03.634Z", "dateUpdated": "2024-09-04T15:46:47.013Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Spotfire Analyst", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}]}, {"defaultStatus": "unknown", "product": "Spotfire Server", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}]}, {"defaultStatus": "unknown", "product": "Spotfire for AWS Marketplace", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.5.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.</p>"}], "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2023-11-08T19:44:03.634Z"}, "references": [{"url": "https://www.tibco.com/services/support/advisories"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>TIBCO has released updated versions of the affected components which address these issues.</p><p>Spotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later</p>"}], "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\n\n"}], "source": {"discovery": "INTERNAL"}, "title": "TIBCO Spotfire Insufficiently Protected Credential vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.940Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:46:35.719041Z", "id": "CVE-2023-26221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:46:47.013Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.940Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:46:35.719041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:46:42.663Z"}}], "cna": {"title": "TIBCO Spotfire Insufficiently Protected Credential vulnerability", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TIBCO Software Inc.", "product": "Spotfire Analyst", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}, {"vendor": "TIBCO Software Inc.", "product": "Spotfire Server", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}, {"vendor": "TIBCO Software Inc.", "product": "Spotfire for AWS Marketplace", "versions": [{"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>TIBCO has released updated versions of the affected components which address these issues.</p><p>Spotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later</p>", "base64": false}]}], "references": [{"url": "https://www.tibco.com/services/support/advisories"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2023-11-08T19:44:03.634Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26221", "state": "PUBLISHED", "dateUpdated": "2024-09-04T15:46:47.013Z", "dateReserved": "2023-02-20T22:18:23.428Z", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "datePublished": "2023-11-08T19:44:03.634Z", "assignerShortName": "tibco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "949054A7-A299-4C11-9E2B-7437D6C4D801", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C63E85E6-8519-4957-B55B-0B8F6E658B2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FE433F55-79E4-438C-81C7-4CEEAEE1C442", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform:12.5.0:*:*:*:*:aws_marketplace:*:*", "matchCriteriaId": "55B9367D-3938-4059-BABE-72322C2AE10C", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F7F5C30-950E-4483-8795-761C506BB549", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B67F529-EB21-4628-ADA2-56E76DA272EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "889EE133-0CEE-429F-A58E-1F310FB981B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"}, {"lang": "es", "value": "El componente Spotfire Connectors de Spotfire Analyst, Spotfire Server y Spotfire para AWS Marketplace de TIBCO Software Inc. contiene una vulnerabilidad f\u00e1cilmente explotable que permite a un atacante con pocos privilegios y acceso de lectura/escritura crear archivos maliciosos de Analyst. Un ataque exitoso que utilice esta vulnerabilidad requiere la interacci\u00f3n humana de una persona distinta del atacante. Las versiones afectadas son Spotfire Analyst de TIBCO Software Inc.: versiones 12.3.0, 12.4.0 y 12.5.0, Spotfire Server: versiones 12.3.0, 12.4.0 y 12.5.0, y Spotfire para AWS Marketplace: versi\u00f3n 12.5.0."}], "id": "CVE-2023-26221", "lastModified": "2024-11-21T07:50:56.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@tibco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-08T20:15:07.313", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@tibco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}