CVE-2018-18814

TIBCO Spotfire Authentication Vulnerability

CVSS 8.8 HIGHEPSS 3.1%

In short

TIBCO Spotfire has a flaw in how it checks user login credentials, allowing attackers to bypass authentication and gain unauthorized access to user accounts regardless of what security settings are configured.

Technical detail

The authentication component in TIBCO Spotfire Analytics Platform for AWS Marketplace (≤10.0.0) and TIBCO Spotfire Server (≤7.14.0) fails to properly validate credentials, enabling attackers to circumvent authentication mechanisms and achieve full account compromise. The vulnerability is authentication-agnostic, affecting accounts regardless of configured security policies.

Summary generated and translated by AI from the official description.

The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, independent of configured authentication mechanisms. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

TIBCO Software Inc. · TIBCO Spotfire Analytics Platform for AWS Marketplace TIBCO Software Inc. · TIBCO Spotfire Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.tibco.com/support/advisories/2019/01/tibco-security-advisory-january-16-2019-tibco-spotfire-2018-18814 http://www.securityfocus.com/bid/106635 http://www.tibco.com/services/support/advisories