Lucene search

[email protected]CVE-2019-8992

HistoryApr 24, 2019 - 9:29 p.m.

CVE-2019-8992

2019-04-2421:29:01

CWE-434

[email protected]

web.nvd.nist.gov

tibco

activematrix

bpm

service grid

silver fabric

security

vulnerability

cve-2019-8992

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.8%

JSON

The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid contains a vulnerability wherein a user without privileges to upload distributed application archives (“Upload DAA” permission) can theoretically upload arbitrary code, and in some circumstances then execute that code on ActiveMatrix Service Grid nodes. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, TIBCO ActiveMatrix Policy Director: versions up to and including 1.1.0, TIBCO ActiveMatrix Service Bus: versions up to and including 3.3.0, TIBCO ActiveMatrix Service Grid: versions up to and including 3.3.1, TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric: versions up to and including 3.3.0, TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1, and TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid: versions up to and including 1.3.1.

Affected configurations

NVD

Node

tibcoactivematrix_bpmRange≤4.2.0

tibcoactivematrix_bpmRange≤4.2.0silver_fabric

tibcoactivematrix_policy_directorRange≤1.1.0

tibcoactivematrix_service_busRange≤3.3.0

tibcoactivematrix_service_gridRange≤3.3.0silver_fabric

tibcoactivematrix_service_gridRange≤3.3.1

tibcosilver_fabric_enablerRange≤1.3.1activematrix_service_grid

tibcosilver_fabric_enablerRange≤1.4.1activematrix_bpm

CPENameOperatorVersion
tibco:activematrix_bpmtibco activematrix bpmle4.2.0
tibco:activematrix_policy_directortibco activematrix policy directorle1.1.0
tibco:activematrix_service_bustibco activematrix service busle3.3.0
tibco:activematrix_service_gridtibco activematrix service gridle3.3.0
tibco:activematrix_service_gridtibco activematrix service gridle3.3.1
tibco:silver_fabric_enablertibco silver fabric enablerle1.3.1
tibco:silver_fabric_enablertibco silver fabric enablerle1.4.1

CPE	Name	Operator	Version
tibco:activematrix_bpm	tibco activematrix bpm	le	4.2.0
tibco:activematrix_policy_director	tibco activematrix policy director	le	1.1.0
tibco:activematrix_service_bus	tibco activematrix service bus	le	3.3.0
tibco:activematrix_service_grid	tibco activematrix service grid	le	3.3.0
tibco:activematrix_service_grid	tibco activematrix service grid	le	3.3.1
tibco:silver_fabric_enabler	tibco silver fabric enabler	le	1.3.1
tibco:silver_fabric_enabler	tibco silver fabric enabler	le	1.4.1

CNA Affected

[
  {
    "product": "TIBCO ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "4.2.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "4.2.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO ActiveMatrix Policy Director",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "1.1.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO ActiveMatrix Service Bus",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "3.3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO ActiveMatrix Service Grid",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "3.3.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "3.3.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Silver Fabric Enabler for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "1.4.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "1.3.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108058

www.tibco.com/services/support/advisories

www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992

Social References

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.8%

JSON

Related for CVE-2019-8992

nvd1 cvelist1 prion1 tibco2