Improper Certificate Validation in TIBCO products - CVE-2021-35497
Published: October 6, 2021
Vulnerability identifier: #VU57078
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-35497
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TIBCO
Affected software:
TIBCO ActiveSpaces Community Edition
TIBCO ActiveSpaces Developer Edition
TIBCO ActiveSpaces Enterprise Edition
TIBCO FTL Community Edition
TIBCO FTL Developer Edition
TIBCO FTL Enterprise Edition
TIBCO eFTL Community Edition
TIBCO eFTL Developer Edition
TIBCO eFTL Enterprise Edition
TIBCO ActiveSpaces Community Edition
TIBCO ActiveSpaces Developer Edition
TIBCO ActiveSpaces Enterprise Edition
TIBCO FTL Community Edition
TIBCO FTL Developer Edition
TIBCO FTL Enterprise Edition
TIBCO eFTL Community Edition
TIBCO eFTL Developer Edition
TIBCO eFTL Enterprise Edition
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation in the FTL Server (tibftlserver) and Docker images containing tibftlserver components. A remote authenticated attacker can perform a man-in-the-middle (MitM) attack and gain full administrative access to the affected system.
How to mitigate CVE-2021-35497
Install updates from vendor's website.