Vulnerability identifier: #VU20028
Vulnerability risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
API Exchange Gateway
Server applications /
Other server solutions
Vendor: TIBCO
Description
The vulnerability allows a remote attacker to escalate privileges within the application.
The vulnerability exists due to incorrect implementation of the OAuth authorization. A remote authenticated attacker can escalate privileges within the application for the specific customer endpoint, when the implementation uses multiple scopes.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
API Exchange Gateway: 2.3.0 - 2.3.1
External links
http://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.