CVE-2020-9408 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2020-9408?

CVE-2020-9408 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-9408?

Check the references section above for vendor advisories and patch information. Affected products include: Tibco Spotfire Analytics Platform For Aws, Tibco Spotfire Server.

Vulnerability Description

The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 10.8.0 and below and TIBCO Spotfire Server: versions 7.11.9 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6, versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Tibco	Spotfire Analytics Platform For Aws	<= 10.8.0
Tibco	Spotfire Server	<= 7.11.9

Related Weaknesses (CWE)

CWE-276

References

http://www.tibco.com/services/support/advisoriesVendor Advisory
https://www.tibco.com/support/advisories/2020/03/tibco-security-advisory-march-1Vendor Advisory
http://www.tibco.com/services/support/advisoriesVendor Advisory
https://www.tibco.com/support/advisories/2020/03/tibco-security-advisory-march-1Vendor Advisory

FAQ

What is CVE-2020-9408?

CVE-2020-9408 is a vulnerability with a CVSS score of 8.8 (HIGH). The Spotfire library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker w...

How severe is CVE-2020-9408?

CVE-2020-9408 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9408?

Check the references section above for vendor advisories and patch information. Affected products include: Tibco Spotfire Analytics Platform For Aws, Tibco Spotfire Server.