#VU57078 Improper Certificate Validation in TIBCO products - CVE-2021-35497
Published: October 6, 2021
Vulnerability identifier: #VU57078
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-35497
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TIBCO ActiveSpaces Community Edition
TIBCO ActiveSpaces Developer Edition
TIBCO ActiveSpaces Enterprise Edition
TIBCO FTL Community Edition
TIBCO FTL Developer Edition
TIBCO FTL Enterprise Edition
TIBCO eFTL Community Edition
TIBCO eFTL Developer Edition
TIBCO eFTL Enterprise Edition
TIBCO ActiveSpaces Community Edition
TIBCO ActiveSpaces Developer Edition
TIBCO ActiveSpaces Enterprise Edition
TIBCO FTL Community Edition
TIBCO FTL Developer Edition
TIBCO FTL Enterprise Edition
TIBCO eFTL Community Edition
TIBCO eFTL Developer Edition
TIBCO eFTL Enterprise Edition
Software vendor:
TIBCO
TIBCO
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation in the FTL Server (tibftlserver) and Docker images containing tibftlserver components. A remote authenticated attacker can perform a man-in-the-middle (MitM) attack and gain full administrative access to the affected system.
Remediation
Install updates from vendor's website.