Information disclosure in TIBCO Spotfire Server and TIBCO Spotfire for AWS - CVE-2019-17336
Published: December 18, 2019
Vulnerability identifier: #VU23653
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-17336
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TIBCO
Affected software:
TIBCO Spotfire Server
TIBCO Spotfire for AWS
TIBCO Spotfire Server
TIBCO Spotfire for AWS
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the Data access layer component exposes credentials for shared data sources. A remote authenticated attacker can gain access to information that can lead to obtaining credentials used to access Spotfire data sources.
To successful exploitation of this vulnerability the attacker would need privileges to save a Spotfire file to the library, and only applies in a situation where NTLM credentials, or a credentials profile is in use.
How to mitigate CVE-2019-17336
Install updates from vendor's website.