{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26221", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "state": "PUBLISHED", "assignerShortName": "tibco", "dateReserved": "2023-02-20T22:18:23.428Z", "datePublished": "2023-11-08T19:44:03.634Z", "dateUpdated": "2024-09-04T15:46:47.013Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Spotfire Analyst", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}]}, {"defaultStatus": "unknown", "product": "Spotfire Server", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}]}, {"defaultStatus": "unknown", "product": "Spotfire for AWS Marketplace", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "12.5.0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.</p>"}], "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2023-11-08T19:44:03.634Z"}, "references": [{"url": "https://www.tibco.com/services/support/advisories"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>TIBCO has released updated versions of the affected components which address these issues.</p><p>Spotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later</p>"}], "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\n\n"}], "source": {"discovery": "INTERNAL"}, "title": "TIBCO Spotfire Insufficiently Protected Credential vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.940Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:46:35.719041Z", "id": "CVE-2023-26221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:46:47.013Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.tibco.com/services/support/advisories", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:46:23.940Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26221", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:46:35.719041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:46:42.663Z"}}], "cna": {"title": "TIBCO Spotfire Insufficiently Protected Credential vulnerability", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TIBCO Software Inc.", "product": "Spotfire Analyst", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}, {"vendor": "TIBCO Software Inc.", "product": "Spotfire Server", "versions": [{"status": "affected", "version": "12.3.0"}, {"status": "affected", "version": "12.4.0"}, {"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}, {"vendor": "TIBCO Software Inc.", "product": "Spotfire for AWS Marketplace", "versions": [{"status": "affected", "version": "12.5.0"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nSpotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later\n\nSpotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>TIBCO has released updated versions of the affected components which address these issues.</p><p>Spotfire Analyst versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire Server versions 12.3.0, 12.4.0, and 12.5.0: update to version 14.0.0 or later</p><p>Spotfire for AWS Marketplace version 12.5.0: update to version 14.0.0 or later</p>", "base64": false}]}], "references": [{"url": "https://www.tibco.com/services/support/advisories"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco", "dateUpdated": "2023-11-08T19:44:03.634Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26221", "state": "PUBLISHED", "dateUpdated": "2024-09-04T15:46:47.013Z", "dateReserved": "2023-02-20T22:18:23.428Z", "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "datePublished": "2023-11-08T19:44:03.634Z", "assignerShortName": "tibco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "949054A7-A299-4C11-9E2B-7437D6C4D801", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C63E85E6-8519-4957-B55B-0B8F6E658B2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analyst:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "FE433F55-79E4-438C-81C7-4CEEAEE1C442", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_analytics_platform:12.5.0:*:*:*:*:aws_marketplace:*:*", "matchCriteriaId": "55B9367D-3938-4059-BABE-72322C2AE10C", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "0F7F5C30-950E-4483-8795-761C506BB549", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B67F529-EB21-4628-ADA2-56E76DA272EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:spotfire_server:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "889EE133-0CEE-429F-A58E-1F310FB981B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Spotfire Connectors component of TIBCO Software Inc.'s Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with read/write access to craft malicious Analyst files. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 12.3.0, 12.4.0, and 12.5.0, Spotfire Server: versions 12.3.0, 12.4.0, and 12.5.0, and Spotfire for AWS Marketplace: version 12.5.0.\n\n"}, {"lang": "es", "value": "El componente Spotfire Connectors de Spotfire Analyst, Spotfire Server y Spotfire para AWS Marketplace de TIBCO Software Inc. contiene una vulnerabilidad f\u00e1cilmente explotable que permite a un atacante con pocos privilegios y acceso de lectura/escritura crear archivos maliciosos de Analyst. Un ataque exitoso que utilice esta vulnerabilidad requiere la interacci\u00f3n humana de una persona distinta del atacante. Las versiones afectadas son Spotfire Analyst de TIBCO Software Inc.: versiones 12.3.0, 12.4.0 y 12.5.0, Spotfire Server: versiones 12.3.0, 12.4.0 y 12.5.0, y Spotfire para AWS Marketplace: versi\u00f3n 12.5.0."}], "id": "CVE-2023-26221", "lastModified": "2024-11-21T07:50:56.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@tibco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-08T20:15:07.313", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/services/support/advisories"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@tibco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}