Jump to content

  • Spotfire Security Advisory: June 26,2024: Spotfire - CVE-2024-3330

     Share
    Spotfire Security Advisory for Spotfire Remote Code Execution Vulnerability.

    Spotfire Remote Code Execution Vulnerability


    Original release date: June 26, 2024
    Last revised: —
    CVE-2024-3330

    Source: Cloud Software Group Inc.


    Products Affected

    •    Spotfire Analyst 12.0.9 and earlier
    •    Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2
    •    Spotfire Analyst 14.1.0, 14.2.0, 14.3.0
    •    Spotfire Server 12.0.10 and earlier
    •    Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3
    •    Spotfire Server 14.2.0, 14.3.0
    •    Spotfire for AWS Marketplace 14.3.0 and earlier

    The following components are affected:
    •    Spotfire Analyst
    •    Spotfire Web Player
    •    Spotfire Automation Services


    Description

    The component listed above contains an easily exploitable vulnerability that allows a low-privileged attacker with read/write access to craft malicious Analyst files. Successful execution of this vulnerability will result in an attacker being able to execute arbitrary code on the host running Spotfire Client resulting in remote code execution.

    Impact
    a) In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code. This requires human interaction from a person other than the attacker.
    b) In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process
    c) In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services. 
    CVSS v3.1 Base Score: 9.9 (Critical) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


    Solution
    Cloud Software Group has released updated versions of the affected systems which address this issue:
    •    Spotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher
    •    Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher
    •    Spotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0
    •    Spotfire Server 12.0.10 and earlier: upgrade to version 12.0.11
    •    Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher
    •    Spotfire Server 14.2.0, 14.3.0: upgrade to version 14.4.0
    •    Spotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher

    References

    https://community.spotfire.com/security-advisories/
    CVE-2024-3330
     

     Share
    Go to articles

    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...