Vulnerability Details : CVE-2019-17334
The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contains a vulnerability that theoretically allows an attacker with permission to write DXP files to the Spotfire library to remotely execute code of their choice on the user account of other users who access the affected system. This attack is a risk only when the attacker has write access to a network file system shared with the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0, TIBCO Spotfire Deployment Kit: versions 7.11.1 and below, TIBCO Spotfire Desktop: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, and TIBCO Spotfire Desktop Language Packs: versions 7.11.1 and below.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2019-17334
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-17334
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
|
7.6
|
HIGH | CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
0.9
|
6.0
|
TIBCO Software Inc. |
|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
2.1
|
5.9
|
NIST |
CWE ids for CVE-2019-17334
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17334
-
http://www.tibco.com/services/support/advisories
Advisory | TIBCO SoftwareVendor Advisory
-
https://www.tibco.com/support/advisories/2019/12/tibco-security-advisory-december-17-2019-tibco-spotfire-2019-17334
TIBCO Security Advisory: December 17, 2019 - TIBCO Spotfire - 2019-17334 | TIBCO SoftwareVendor Advisory
Products affected by CVE-2019-17334
- cpe:2.3:a:tibco:spotfire_deployment_kit:*:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:*:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:7.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_desktop_language_packs:*:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:*:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:7.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analyst:10.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:tibco:spotfire_analytics_platform_for_aws:10.6.0:*:*:*:*:*:*:*