CVE-2019-8992

The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives ("Upload DAA" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/108058	Broken Link Third Party Advisory VDB Entry
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tibco:activematrix_bpm::::::::
	cpe:2.3:a:tibco:activematrix_bpm::::::silver_fabric::*
	cpe:2.3:a:tibco:activematrix_policy_director::::::::
	cpe:2.3:a:tibco:activematrix_service_bus::::::::
	cpe:2.3:a:tibco:activematrix_service_grid::::::silver_fabric::*
	cpe:2.3:a:tibco:activematrix_service_grid::::::::
	cpe:2.3:a:tibco:silver_fabric_enabler::::::activematrix_service_grid::*
	cpe:2.3:a:tibco:silver_fabric_enabler::::::activematrix_bpm::*

History

No history.

Information

Published : 2019-04-24 21:29

Updated : 2022-10-14 11:18

NVD link : CVE-2019-8992

Mitre link : CVE-2019-8992

CVE.ORG link : CVE-2019-8992

JSON object : View

Products Affected

tibco

activematrix_service_grid
activematrix_policy_director
activematrix_service_bus
activematrix_bpm
silver_fabric_enabler

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2019-8992", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security@tibco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-04-24T21:29:01.257", "references": [{"url": "http://www.securityfocus.com/bid/108058", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "security@tibco.com"}, {"url": "http://www.tibco.com/services/support/advisories", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}, {"url": "https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992", "tags": ["Vendor Advisory"], "source": "security@tibco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives (\"Upload DAA\" permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1."}, {"lang": "es", "value": "El componente de servidor administrativo de TIBCO Software Inc.TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution para TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution para TIBCO Silver Fabric, TIBCO Silver Fabric Enabler para ActiveMatrix BPM, y TIBCO Silver Fabric Enabler para ActiveMatrix Service Grid contiene una vulnerabilidad en la que un usuario sin privilegios para cargar archivos de aplicaciones distribuidos (permiso \"Upload DAA\") puede te\u00f3ricamente cargar c\u00f3digo arbitrario y, en algunas circunstancias, ejecutar ese c\u00f3digo en nodos de ActiveMatrix Service Grid. Las versiones afectadas son TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versiones hasta 4.2.0 inclusive, TIBCO ActiveMatrix BPM Distribution para TIBCO Silver Fabric: versiones hasta 4.2.0 inclusive, TIBCO ActiveMatrix Policy Director: versiones hasta 1.1.0 inclusive, TIBCO ActiveMatrix Service Bus: versiones hasta 3.3.0 inclusive, TIBCO ActiveMatrix Service Grid: versiones hasta 3.3.1 inclusive, TIBCO ActiveMatrix Service Grid Distribution para TIBCO Silver Fabric: versiones hasta 3.3.0 inclusive, TIBCO Silver Fabric Enabler para ActiveMatrix BPM: versiones hasta 1.4.1 inclusive y TIBCO Silver Fabric Enabler para ActiveMatrix Service Grid: versiones hasta 1.3.1 inclusive."}], "lastModified": "2022-10-14T11:18:30.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tibco:activematrix_bpm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A533C8A0-3C54-4096-8C29-22E287CB682F", "versionEndIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:tibco:activematrix_bpm:*:*:*:*:*:silver_fabric:*:*", "vulnerable": true, "matchCriteriaId": "B01AFA33-D029-48E1-B748-0E828F13F6A7", "versionEndIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:tibco:activematrix_policy_director:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F67910C-AE3D-4A9F-B9E3-617D9EAAFBF7", "versionEndIncluding": "1.1.0"}, {"criteria": "cpe:2.3:a:tibco:activematrix_service_bus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4A41001-9FD6-4821-99C5-56CB1D1C4002", "versionEndIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:tibco:activematrix_service_grid:*:*:*:*:*:silver_fabric:*:*", "vulnerable": true, "matchCriteriaId": "1EC19FE2-7EF2-4B67-8AE7-47B4ECFD9A5A", "versionEndIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:tibco:activematrix_service_grid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBFA5AC6-473A-4FF8-B418-4633DC837E9B", "versionEndIncluding": "3.3.1"}, {"criteria": "cpe:2.3:a:tibco:silver_fabric_enabler:*:*:*:*:*:activematrix_service_grid:*:*", "vulnerable": true, "matchCriteriaId": "52116CC3-1347-4B8E-81F0-D17668D88D10", "versionEndIncluding": "1.3.1"}, {"criteria": "cpe:2.3:a:tibco:silver_fabric_enabler:*:*:*:*:*:activematrix_bpm:*:*", "vulnerable": true, "matchCriteriaId": "85EFD5DF-F39D-4737-82A4-3E10BBF3EF2C", "versionEndIncluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@tibco.com"}

8.8 /10