Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-8992

The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives ("Upload DAA" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1.

Published

2019-04-24T21:29:01.257

Last Modified

2024-11-21T04:50:46.517

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-434

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tibco	activematrix_bpm	≤ 4.2.0	Yes
Application	tibco	activematrix_bpm	≤ 4.2.0	Yes
Application	tibco	activematrix_policy_director	≤ 1.1.0	Yes
Application	tibco	activematrix_service_bus	≤ 3.3.0	Yes
Application	tibco	activematrix_service_grid	≤ 3.3.0	Yes
Application	tibco	activematrix_service_grid	≤ 3.3.1	Yes
Application	tibco	silver_fabric_enabler	≤ 1.3.1	Yes
Application	tibco	silver_fabric_enabler	≤ 1.4.1	Yes

References

http://www.securityfocus.com/bid/108058 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.tibco.com/services/support/advisories Vendor Advisory ([email protected])
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992 Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/108058 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.tibco.com/services/support/advisories Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)