CVE-2024-3330

Spotfire Remote Code Execution Vulnerability

Severity Score

9.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code.This requires human interaction from a person other than the attacker., In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process, In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services..This issue affects Spotfire Analyst: from 12.0.9 through 12.5.0, from 14.0 through 14.0.2; Spotfire Server: from 12.0.10 through 12.5.0, from 14.0 through 14.0.3, from 14.2.0 through 14.3.0; Spotfire for AWS Marketplace: from 14.0 before 14.3.0.

*Credits: N/A

CVSS Scores

TIBCO Software Inc.v3.1 9.9

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-04 CVE Reserved
2024-06-27 CVE Published
2024-06-28 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-250: Execution with Unnecessary Privileges

CAPEC

References (1)

URL	Tag	Source
https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-june-262024-spotfire-cve-2024-3330-r3435

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Spotfire Search vendor "Spotfire"		Spotfire Analyst Search vendor "Spotfire" for product "Spotfire Analyst"				>= 12.0.9 <= 12.5.0 Search vendor "Spotfire" for product "Spotfire Analyst" and version " >= 12.0.9 <= 12.5.0"		en		Affected
Spotfire Search vendor "Spotfire"		Spotfire Analyst Search vendor "Spotfire" for product "Spotfire Analyst"				>= 14.0.0 <= 14.0.2 Search vendor "Spotfire" for product "Spotfire Analyst" and version " >= 14.0.0 <= 14.0.2"		en		Affected
Spotfire Search vendor "Spotfire"		Spotfire Server Search vendor "Spotfire" for product "Spotfire Server"				>= 12.0.10 <= 12.5.0 Search vendor "Spotfire" for product "Spotfire Server" and version " >= 12.0.10 <= 12.5.0"		en		Affected
Spotfire Search vendor "Spotfire"		Spotfire Server Search vendor "Spotfire" for product "Spotfire Server"				>= 14.0.0 <= 14.0.3 Search vendor "Spotfire" for product "Spotfire Server" and version " >= 14.0.0 <= 14.0.3"		en		Affected
Spotfire Search vendor "Spotfire"		Spotfire Server Search vendor "Spotfire" for product "Spotfire Server"				>= 14.2.0 <= 14.3.0 Search vendor "Spotfire" for product "Spotfire Server" and version " >= 14.2.0 <= 14.3.0"		en		Affected
Spotfire Search vendor "Spotfire"		Spotfire For AWS Marketplace Search vendor "Spotfire" for product "Spotfire For AWS Marketplace"				>= 14.0.0 < 14.3.0 Search vendor "Spotfire" for product "Spotfire For AWS Marketplace" and version " >= 14.0.0 < 14.3.0"		en		Affected