CVE-2022-22775 - Vulnerability Details - OpenCVE

The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tibco	Bpm Enterprise Bpm Enterprise Distribution For Silver Fabric

Configuration 1 [-]

OR	cpe:2.3:a:tibco:bpm_enterprise::::::::
	cpe:2.3:a:tibco:bpm_enterprise_distribution_for_silver_fabric::::::::

No data.

References

Link	Providers
https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775

History

No history.

MITRE

Status: PUBLISHED

Assigner: tibco

Published: 2022-05-17T17:30:14.875715Z

Updated: 2024-09-17T03:37:44.649Z

Reserved: 2022-01-07T00:00:00

Link: CVE-2022-22775

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-17T18:15:08.327

Modified: 2024-11-21T06:47:25.460

Link: CVE-2022-22775

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TIBCO BPM Enterprise", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "4.3.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "4.3.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-05-17T00:00:00", "descriptions": [{"lang": "en", "value": "The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-17T18:06:11", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.1 and below: update to version 4.3.2 or later\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.1 and below: update to version 4.3.2 or later"}], "source": {"discovery": "ING Bank N.V."}, "title": "TIBCO ActiveMatrix BPM Reflected Cross Site Scripting (XSS) vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2022-05-17T17:00:00Z", "ID": "CVE-2022-22775", "STATE": "PUBLIC", "TITLE": "TIBCO ActiveMatrix BPM Reflected Cross Site Scripting (XSS) vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO BPM Enterprise", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.3.1"}]}}, {"product_name": "TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.3.1"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "In the worst case, if the victim is a privileged administrator, successful execution of these vulnerabilities can result in an attacker gaining full administrative access to the affected system."}]}]}, "references": {"reference_data": [{"name": "https://www.tibco.com/services/support/advisories", "refsource": "CONFIRM", "url": "https://www.tibco.com/services/support/advisories"}, {"name": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO BPM Enterprise versions 4.3.1 and below: update to version 4.3.2 or later\nTIBCO BPM Enterprise Distribution for TIBCO Silver Fabric versions 4.3.1 and below: update to version 4.3.2 or later"}], "source": {"discovery": "ING Bank N.V."}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.170Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775"}]}]}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2022-22775", "datePublished": "2022-05-17T17:30:14.875715Z", "dateReserved": "2022-01-07T00:00:00", "dateUpdated": "2024-09-17T03:37:44.649Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:bpm_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "3782844F-E11B-4B47-AA9B-44275B4F245A", "versionEndExcluding": "4.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:bpm_enterprise_distribution_for_silver_fabric:*:*:*:*:*:*:*:*", "matchCriteriaId": "586686C8-1836-4E04-AAFD-A838F8217C61", "versionEndExcluding": "4.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below."}, {"lang": "es", "value": "El componente cliente Workspace de TIBCO Software Inc.'s TIBCO BPM Enterprise y TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contiene vulnerabilidades de tipo Cross Site Scripting (XSS) Reflejado dif\u00edciles de explotar que permiten a atacantes con pocos privilegios y acceso a la red ejecutar scripts dirigidos al sistema afectado o al sistema local de la v\u00edctima. Las versiones afectadas son TIBCO Software Inc.'s TIBCO BPM Enterprise: versiones 4.3.1 y anteriores y TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versiones 4.3.1 y anteriores"}], "id": "CVE-2022-22775", "lastModified": "2024-11-21T06:47:25.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@tibco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-17T18:15:08.327", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-17-2022-tibco-activematrix-bpm-cve-2022-22775"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}