CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
9.0%
TIBCO Hawk install-time password disclosure vulnerability
Original release date: May 14, 2024
Last revised: β
CVE-2024-3182
Source: TIBCO Software Inc.
Products Affected
TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3.
Component Affected:
TIBCO Hawk Universal Installer including the Silent Installer
Description
The components listed above contain a vulnerability that allows the TIBCO Hawk userβs Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files.
Impact
The impact of this vulnerability includes the theoretical possibility that an attacker could access the message stream of the EMS server, or in the worst case, gain administrative access to the server. It is recommended that the EMS password utilized by the TIBCO Hawk components be changed as soon as possible.
CVSS v3 Base Score: 6.5 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Solution
Upgrade the TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 to 6.2.4.
References
<https://community.tibco.com/advisories>
CVE-2024-3182