CVE-2023-29268

Summary

The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Statistics Services contains a vulnerability that allows an unauthenticated remote attacker to upload or modify arbitrary files within the web server directory on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Statistics Services: versions 11.4.10 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, and 12.0.2, versions 12.1.0 and 12.2.0.

Affected Software

VendorProductVersion RangeStatus
TIBCO Software Inc.TIBCO Spotfire Statistics Services0 <= 11.4.10affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.5.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.6.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.6.1affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.6.2affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.7.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.8.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services11.8.1affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services12.0.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services12.0.1affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services12.0.2affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services12.1.0affected
TIBCO Software Inc.TIBCO Spotfire Statistics Services12.2.0affected

Weaknesses

  • Uploaded or modified files may be executed within the scope of the web server process allowing access to the system.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References