CVE-2018-12408
TIBCO ActiveMatrix BusinessWorks 5.X XML eXternal Entity Vulnerability
In short
TIBCO ActiveMatrix BusinessWorks versions up to 5.13.0 are vulnerable to XML External Entity (XXE) attacks through network messages, allowing attackers to read files from the server where the application runs.
Technical detail
The BusinessWorks engine fails to properly sanitize XML input in incoming network messages, enabling XXE injection attacks. An attacker sending crafted XML payloads can trigger external entity resolution, leading to unauthorized file disclosure on the affected system. Affected versions: ActiveMatrix BusinessWorks ≤5.13.0, z/Linux variant ≤5.13.0, and Silver Fabric Distribution ≤5.13.0.
Summary generated and translated by AI from the official description.
The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
TIBCO Software Inc. · TIBCO ActiveMatrix BusinessWorksTIBCO Software Inc. · TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver FabricTIBCO Software Inc. · TIBCO ActiveMatrix BusinessWorks for z/LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →