CVE-2025-3114

Summary

Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.

Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.

Affected Software

VendorProductVersion RangeStatus
SpotfireSpotfire Enterprise Runtime for R6 <= 1.4affected
SpotfireSpotfire Statistics Services14 <= 0.6affected
SpotfireSpotfire Statistics Services14.1.0affected
SpotfireSpotfire Statistics Services14.2.0affected
SpotfireSpotfire Statistics Services14.3.0affected
SpotfireSpotfire Statistics Services14.4.0affected
SpotfireSpotfire Statistics Services14.4.1affected
SpotfireSpotfire Analyst14 <= 0.5affected
SpotfireSpotfire Analyst14.1.0affected
SpotfireSpotfire Analyst14.2.0affected
SpotfireSpotfire Analyst14.3.0affected
SpotfireSpotfire Analyst14.4.0affected
SpotfireSpotfire Analyst14.4.1affected
SpotfireDeployment Kit used in Spotfire Server14 <= 0.6affected
SpotfireDeployment Kit used in Spotfire Server14.1.0affected
SpotfireDeployment Kit used in Spotfire Server14.2.0affected
SpotfireDeployment Kit used in Spotfire Server14.3.0affected
SpotfireDeployment Kit used in Spotfire Server14.4.0affected
SpotfireDeployment Kit used in Spotfire Server14.4.1affected
SpotfireSpotfire Desktop14 <= 4.1affected
SpotfireSpotfire for AWS Marketplace14 <= 4.1unknown
SpotfireSpotfire Enterprise Runtime for R - Server Edition1 <= 17.6affected
SpotfireSpotfire Enterprise Runtime for R - Server Edition1.18.0affected
SpotfireSpotfire Enterprise Runtime for R - Server Edition1.19.0affected
SpotfireSpotfire Enterprise Runtime for R - Server Edition1.20.0affected
SpotfireSpotfire Enterprise Runtime for R - Server Edition1.21.0affected
SpotfireSpotfire Enterprise Runtime for R - Server Edition1.21.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References