From 1459fe5b78db68a452c5b1e38d5bd27d8b4e1198 Mon Sep 17 00:00:00 2001 From: Eric Johnson Date: Tue, 28 Jan 2020 16:12:04 -0800 Subject: [PATCH] Update to CVE-2018-12415 to add missing information. --- 2018/12xxx/CVE-2018-12415.json | 193 +++++++++++++++++++++------------ 1 file changed, 122 insertions(+), 71 deletions(-) diff --git a/2018/12xxx/CVE-2018-12415.json b/2018/12xxx/CVE-2018-12415.json index 95bf30feb7f..d2159f1ef4e 100644 --- a/2018/12xxx/CVE-2018-12415.json +++ b/2018/12xxx/CVE-2018-12415.json @@ -1,72 +1,123 @@ { - "CVE_data_meta": { - "ASSIGNER": "security@tibco.com", - "ID": "CVE-2018-12415", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "n/a", - "version": { - "version_data": [ - { - "version_value": "n/a" - } - ] - } - } - ] - }, - "vendor_name": "n/a" - } - ] - } - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ - { - "lang": "eng", - "value": "The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Messaging Service, TIBCO Enterprise Messaging Service - Community Edition, and TIBCO Enterprise Messaging Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Enterprise Messaging Service: versions up to and including 8.4.0, TIBCO Enterprise Messaging Service - Community Edition: versions up to and including 8.4.0, and TIBCO Enterprise Messaging Service - Developer Edition versions up to and including 8.4.0." - } - ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "n/a" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "name": "http://www.tibco.com/services/support/advisories", - "refsource": "MISC", - "url": "http://www.tibco.com/services/support/advisories" - }, - { - "name": "https://www.tibco.com/support/advisories/2018/11/tibco-security-advisory-november-6-2018-tibco-enterprise-messaging-service", - "refsource": "CONFIRM", - "url": "https://www.tibco.com/support/advisories/2018/11/tibco-security-advisory-november-6-2018-tibco-enterprise-messaging-service" - }, - { - "name": "105850", - "refsource": "BID", - "url": "http://www.securityfocus.com/bid/105850" - } - ] - } -} \ No newline at end of file + "CVE_data_meta": { + "ASSIGNER": "security@tibco.com", + "DATE_PUBLIC": "2018-11-06T17:00:00Z", + "UPDATED": "2020-01-28T17:00:00Z", + "ID": "CVE-2018-12415", + "STATE": "PUBLIC", + "TITLE": "TIBCO Enterprise Message Service Vulnerable to CSRF Attacks" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "TIBCO Enterprise Message Service", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.4.0" + } + ] + } + }, + { + "product_name": "TIBCO Enterprise Message Service - Community Edition", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.4.0" + } + ] + } + }, + { + "product_name": "TIBCO Enterprise Message Service - Developer Edition", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_value": "8.4.0" + } + ] + } + } + ] + }, + "vendor_name": "TIBCO Software Inc." + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "The Central Administration server (emsca) component of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO Enterprise Message Service - Community Edition, and TIBCO Enterprise Message Service - Developer Edition contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks.\n\nAffected releases are TIBCO Software Inc.'s TIBCO Enterprise Message Service: versions 8.4.0 and below, TIBCO Enterprise Message Service - Community Edition: versions 8.4.0 and below, and TIBCO Enterprise Message Service - Developer Edition: versions 8.4.0 and below.\n" + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "In deployments of TIBCO Enterprise Message Service (EMS) that use the Central Administration server, the impact of this vulnerability includes the theoretical possibility of reconfiguring all EMS servers administered by the affected component. With such access, the attacker might also be able to gain access to all data sent via EMS." + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "http://www.tibco.com/services/support/advisories", + "refsource": "MISC", + "url": "http://www.tibco.com/services/support/advisories" + }, + { + "name": "https://www.tibco.com/support/advisories/2018/11/tibco-security-advisory-november-6-2018-tibco-enterprise-messaging-service", + "refsource": "CONFIRM", + "url": "https://www.tibco.com/support/advisories/2018/11/tibco-security-advisory-november-6-2018-tibco-enterprise-messaging-service" + }, + { + "name": "105850", + "refsource": "BID", + "url": "http://www.securityfocus.com/bid/105850" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "TIBCO has released updated versions of the affected components which address these issues.\n\nTIBCO Enterprise Message Service versions 8.4.0 and below update to version 8.4.1 or higher\nTIBCO Enterprise Message Service - Community Edition versions 8.4.0 and below update to version 8.4.1 or higher\nTIBCO Enterprise Message Service - Developer Edition versions 8.4.0 and below update to version 8.4.1 or higher" + } + ], + "source": { + "discovery": "INTERNAL" + } +}