Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-35497

The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, TIBCO ActiveSpaces - Enterprise Edition, TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL - Enterprise Edition, TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contain a vulnerability that theoretically allows a non-administrative, authenticated FTL user to trick the affected components into creating illegitimate certificates. These maliciously generated certificates can be used to enable man-in-the-middle attacks or to escalate privileges so that the malicious user has administrative privileges. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Developer Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Enterprise Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO FTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, and TIBCO eFTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0.

Published

2021-10-05T18:15:07.690

Last Modified

2024-11-21T06:12:23.117

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

6.8

Impact Score

6.4

Weaknesses

Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tibco	activespaces	4.3.0	Yes
Application	tibco	activespaces	4.3.0	Yes
Application	tibco	activespaces	4.3.0	Yes
Application	tibco	activespaces	4.4.0	Yes
Application	tibco	activespaces	4.4.0	Yes
Application	tibco	activespaces	4.4.0	Yes
Application	tibco	activespaces	4.5.0	Yes
Application	tibco	activespaces	4.5.0	Yes
Application	tibco	activespaces	4.5.0	Yes
Application	tibco	activespaces	4.6.0	Yes
Application	tibco	activespaces	4.6.0	Yes
Application	tibco	activespaces	4.6.0	Yes
Application	tibco	activespaces	4.6.1	Yes
Application	tibco	activespaces	4.6.1	Yes
Application	tibco	activespaces	4.6.1	Yes
Application	tibco	activespaces	4.6.2	Yes
Application	tibco	activespaces	4.6.2	Yes
Application	tibco	activespaces	4.6.2	Yes
Application	tibco	eftl	6.2.0	Yes
Application	tibco	eftl	6.2.0	Yes
Application	tibco	eftl	6.2.0	Yes
Application	tibco	eftl	6.3.0	Yes
Application	tibco	eftl	6.3.0	Yes
Application	tibco	eftl	6.3.0	Yes
Application	tibco	eftl	6.3.1	Yes
Application	tibco	eftl	6.3.1	Yes
Application	tibco	eftl	6.3.1	Yes
Application	tibco	eftl	6.4.0	Yes
Application	tibco	eftl	6.4.0	Yes
Application	tibco	eftl	6.4.0	Yes
Application	tibco	eftl	6.5.0	Yes
Application	tibco	eftl	6.5.0	Yes
Application	tibco	eftl	6.5.0	Yes
Application	tibco	eftl	6.6.0	Yes
Application	tibco	eftl	6.6.0	Yes
Application	tibco	eftl	6.6.0	Yes
Application	tibco	eftl	6.6.1	Yes
Application	tibco	eftl	6.6.1	Yes
Application	tibco	eftl	6.6.1	Yes
Application	tibco	eftl	6.7.0	Yes
Application	tibco	eftl	6.7.0	Yes
Application	tibco	eftl	6.7.0	Yes
Application	tibco	ftl	6.2.0	Yes
Application	tibco	ftl	6.2.0	Yes
Application	tibco	ftl	6.2.0	Yes
Application	tibco	ftl	6.3.0	Yes
Application	tibco	ftl	6.3.0	Yes
Application	tibco	ftl	6.3.0	Yes
Application	tibco	ftl	6.3.1	Yes
Application	tibco	ftl	6.3.1	Yes
Application	tibco	ftl	6.3.1	Yes
Application	tibco	ftl	6.4.0	Yes
Application	tibco	ftl	6.4.0	Yes
Application	tibco	ftl	6.4.0	Yes
Application	tibco	ftl	6.5.0	Yes
Application	tibco	ftl	6.5.0	Yes
Application	tibco	ftl	6.5.0	Yes
Application	tibco	ftl	6.6.0	Yes
Application	tibco	ftl	6.6.0	Yes
Application	tibco	ftl	6.6.0	Yes
Application	tibco	ftl	6.6.1	Yes
Application	tibco	ftl	6.6.1	Yes
Application	tibco	ftl	6.6.1	Yes
Application	tibco	ftl	6.7.0	Yes
Application	tibco	ftl	6.7.0	Yes
Application	tibco	ftl	6.7.0	Yes

References

https://www.tibco.com/services/support/advisories Vendor Advisory ([email protected])
https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-5-2021-tibco-ftl-2021-35497 Vendor Advisory ([email protected])
https://www.tibco.com/services/support/advisories Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-5-2021-tibco-ftl-2021-35497 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)