XML External Entity injection in TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server

#VU63167 XML External Entity injection in TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server

Published: 2022-05-13

Vulnerability identifier: #VU63167

Vulnerability risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22774

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TIBCO Managed File Transfer Command Center
Server applications / Other server solutions
TIBCO Managed File Transfer Internet Server
Server applications / Other server solutions

Vendor: TIBCO

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied XML input in the DOM XML parser and SAX XML parser. A remote attacker can pass a specially crafted XML code and update, insert or delete access to data on the affected system and associated resources.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TIBCO Managed File Transfer Command Center: 8.0.0 - 8.4.1

TIBCO Managed File Transfer Internet Server: 8.0.0 - 8.4.1

External links
http://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

XML External Entity injection in TIBCO Managed File Transfer Command Center and TIBCO Managed File Transfer Internet Server