admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-08 22:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

TIBCO Silver Fabric vulnerability.

Browse Source
This commit is contained in:
Eric Johnson 2019-02-12 22:56:45 -08:00
parent 590fdd1ac1
commit 36865ccb2e
No known key found for this signature in database
GPG Key ID: 59CD96D148FE29B0
1 changed files with 82 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
2018/12xxx/CVE-2018-12409.json
View File

@ -1,9 +1,41 @@
{
"CVE_data_meta" : {
"ASSIGNER" : "cve@mitre.org",
"ASSIGNER" : "security@tibco.com",
"DATE_PUBLIC" : "2019-02-13T17:00:00.000Z",
"ID" : "CVE-2018-12409",
"STATE" : "RESERVED"
"STATE" : "PUBLIC",
"TITLE" : "TIBCO Silver Fabric Vulnerable to Reflected Cross-Site Scripting attacks"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "TIBCO Silver Fabric",
"version" : {
"version_data" : [
{
"affected" : "<=",
"version_value" : "5.8.1"
}
]
}
}
]
},
"vendor_name" : "TIBCO Software Inc."
}
]
}
},
"credit" : [
{
"lang" : "eng",
"value" : "TIBCO would like to extend its appreciation to Robert Podsiadlo of ING Tech Poland for discovery of this vulnerability."
}
],
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
@ -11,8 +43,55 @@
"description_data" : [
{
"lang" : "eng",
"value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value" : "The SOAP Admin API component of TIBCO Software Inc.'s TIBCO Silver Fabric contains a vulnerability that may allow reflected cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Silver Fabric: versions up to and including 5.8.1."
}
]
},
"impact" : {
"cvss" : {
"attackComplexity" : "LOW",
"attackVector" : "NETWORK",
"availabilityImpact" : "HIGH",
"baseScore" : 8.8,
"baseSeverity" : "HIGH",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "HIGH",
"privilegesRequired" : "NONE",
"scope" : "UNCHANGED",
"userInteraction" : "REQUIRED",
"vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version" : "3.0"
}
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "The impact of this vulnerability includes the theoretical possibility that an unauthenticated attacker could perform administrative functions provided by the web interface of the affected system."
}
]
}
]
},
"references" : {
"reference_data" : [
{
"url" : "http://www.tibco.com/services/support/advisories"
},
{
"url" : "https://www.tibco.com/support/advisories/2019/02/tibco-security-advisory-february-13-2019-tibco-silver-fabric"
}
]
},
"solution" : [
{
"lang" : "eng",
"value" : "TIBCO has released updated versions of the affected component which address this issue. For each affected system, update to the corresponding software versions:\n\nTIBCO Silver Fabric versions 5.8.1 and below update to version 6.0.0 or higher\n\nNote that the affected component has been deprecated in the systems affected. For customers that might not be able to update the software as quickly as needed, an alternate remediation is to disable the affected component. The component can be disabled by removing the configuration lines that activate it.\n\nTo disable the affected component:\n - find the file $SF_HOME/webapps/livecluster/WEB-INF/web.xml (where\n $SF_HOME corresponds to the root folder where TIBCO Silver Fabric is\n installed.)\n - open the file in a text editor, and remove the lines that look like this:\n\n <servlet-mapping>\n <servlet-name>AxisServlet</servlet-name>\n <url-pattern>/webservices/*</url-pattern>\n </servlet-mapping>\n <servlet-mapping>\n <servlet-name>AxisServlet</servlet-name>\n <url-pattern>/WebServices/*</url-pattern>\n </servlet-mapping>\n"
}
],
"source" : {
"discovery" : "EXTERNAL"
}
}