CVE-2018-12408

TIBCO ActiveMatrix BusinessWorks 5.X XML eXternal Entity Vulnerability

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux, and TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric contains a vulnerability that may allow XML eXternal Entity (XXE) attacks via incoming network messages, and may disclose the contents of files accessible to a running BusinessWorks engine Affected releases are TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks for z/Linux: versions up to and including 5.13.0, TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: versions up to and including 5.13.0.

El componente del motor BusinessWorks de TIBCO ActiveMatrix BusinessWorks, TIBCO ActiveMatrix BusinessWorks for z/Linux y TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric, de TIBCO Software, contiene una vulnerabilidad que podría permitir ataques de XEE (XML External Entity) mediante mensajes entrantes de red y podría revelar el contenido de los archivos accesibles a un motor BusinessWorks en ejecución. Las versiones afectadas son TIBCO Software Inc. TIBCO ActiveMatrix BusinessWorks: hasta la versión 5.13.0 (incluida), TIBCO ActiveMatrix BusinessWorks for z/Linux: hasta la versión 5.13.0 (incluida), TIBCO ActiveMatrix BusinessWorks Distribution for TIBCO Silver Fabric: hasta la versión 5.13.0 (incluida).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-14 CVE Reserved
2018-08-08 CVE Published
2024-02-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/105043	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://www.tibco.com/services/support/advisories	2019-10-09
https://www.tibco.com/support/advisories/2018/08/tibco-security-advisory-august-7-2018-tibco-activematrix-businessworks	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tibco Search vendor "Tibco"		Activematrix Businessworks Search vendor "Tibco" for product "Activematrix Businessworks"				<= 5.13.0 Search vendor "Tibco" for product "Activematrix Businessworks" and version " <= 5.13.0"		-		Affected
Tibco Search vendor "Tibco"		Activematrix Businessworks Search vendor "Tibco" for product "Activematrix Businessworks"				<= 5.13.0 Search vendor "Tibco" for product "Activematrix Businessworks" and version " <= 5.13.0"		linux		Affected
Tibco Search vendor "Tibco"		Activematrix Businessworks Distribution For Tibco Silver Fabric Search vendor "Tibco" for product "Activematrix Businessworks Distribution For Tibco Silver Fabric"				<= 5.13.0 Search vendor "Tibco" for product "Activematrix Businessworks Distribution For Tibco Silver Fabric" and version " <= 5.13.0"		-		Affected