CVE-2017-3181

Multiple TIBCO Spotfire components are vulnerable to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The following products and versions are affected: TIBCO Spotfire Analyst 7.7.0 TIBCO Spotfire Connectors 7.6.0 TIBCO Spotfire Deployment Kit 7.7.0 TIBCO Spotfire Desktop 7.6.0 TIBCO Spotfire Desktop 7.7.0 TIBCO Spotfire Desktop Developer Edition 7.7.0 TIBCO Spotfire Desktop Language Packs 7.6.0 TIBCO Spotfire Desktop Language Packs 7.7.0 The following components are affected: TIBCO Spotfire Client TIBCO Spotfire Web Player Client

Múltiples productos TIBCO son propensos a múltiples vulnerabilidades sin especificar de inyección SQL debido a que fracasan a la hora de sanear entradas proporcionadas por el usuario antes de emplearlas en una consulta SQL. La explotación de estos problemas podría permitir que un atacante comprometa la aplicación, acceda o modifique datos o explote vulnerabilidades latentes en la base de datos subyacente. Los siguientes productos y versiones se han visto afectados: TIBCO Spotfire Analyst 7.7.0; TIBCO Spotfire Connectors 7.6.0; TIBCO Spotfire Deployment Kit 7.7.0; TIBCO Spotfire Desktop 7.6.0; TIBCO Spotfire Desktop 7.7.0; TIBCO Spotfire Desktop Developer Edition 7.7.0; TIBCO Spotfire Desktop Language Packs 7.6.0; y TIBCO Spotfire Desktop Language Packs 7.7.0. Los siguientes componentes se han visto afectados: TIBCO Spotfire Client y TIBCO Spotfire Web Player Client.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-12-05 CVE Reserved
2018-07-24 CVE Published
2023-12-15 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (2)

URL	Tag	Source
https://www.securityfocus.com/bid/95696	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.tibco.com/support/advisories/2017/01/tibco-security-advisory-january-10-2017-tibco-spotfire-2017-3181	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tibco Search vendor "Tibco"		Spotfire Analyst Search vendor "Tibco" for product "Spotfire Analyst"				7.7.0 Search vendor "Tibco" for product "Spotfire Analyst" and version "7.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Client Search vendor "Tibco" for product "Spotfire Client"				-		-		Affected
Tibco Search vendor "Tibco"		Spotfire Connectors Search vendor "Tibco" for product "Spotfire Connectors"				7.6.0 Search vendor "Tibco" for product "Spotfire Connectors" and version "7.6.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Deployment Kit Search vendor "Tibco" for product "Spotfire Deployment Kit"				7.7.0 Search vendor "Tibco" for product "Spotfire Deployment Kit" and version "7.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				7.6.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "7.6.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				7.7.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "7.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Search vendor "Tibco" for product "Spotfire Desktop"				7.7.0 Search vendor "Tibco" for product "Spotfire Desktop" and version "7.7.0"		developer		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Language Packs Search vendor "Tibco" for product "Spotfire Desktop Language Packs"				7.6.0 Search vendor "Tibco" for product "Spotfire Desktop Language Packs" and version "7.6.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Desktop Language Packs Search vendor "Tibco" for product "Spotfire Desktop Language Packs"				7.7.0 Search vendor "Tibco" for product "Spotfire Desktop Language Packs" and version "7.7.0"		-		Affected
Tibco Search vendor "Tibco"		Spotfire Web Player Client Search vendor "Tibco" for product "Spotfire Web Player Client"				-		-		Affected