Spotfire Remote Code Execution Vulnerability
Original release date: June 26, 2024
Last revised: —
CVE-2024-3330
Source: Cloud Software Group Inc.
Products Affected
• Spotfire Analyst 12.0.9 and earlier
• Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2
• Spotfire Analyst 14.1.0, 14.2.0, 14.3.0
• Spotfire Server 12.0.10 and earlier
• Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3
• Spotfire Server 14.2.0, 14.3.0
• Spotfire for AWS Marketplace 14.3.0 and earlier
The following components are affected:
• Spotfire Analyst
• Spotfire Web Player
• Spotfire Automation Services
Description
The component listed above contains an easily exploitable vulnerability that allows a low-privileged attacker with read/write access to craft malicious Analyst files. Successful execution of this vulnerability will result in an attacker being able to execute arbitrary code on the host running Spotfire Client resulting in remote code execution.
Impact
a) In the case of the installed Windows client: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code. This requires human interaction from a person other than the attacker.
b) In the case of the Web player (Business Author): Successful execution of this vulnerability via the Web Player, will result in the attacker being able to run arbitrary code as the account running the Web player process
c) In the case of Automation Services: Successful execution of this vulnerability will result in an attacker being able to run arbitrary code via Automation Services.
CVSS v3.1 Base Score: 9.9 (Critical) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Solution
Cloud Software Group has released updated versions of the affected systems which address this issue:
• Spotfire Analyst 12.0.9 and earlier: upgrade to version 12.0.10 or higher
• Spotfire Analyst 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2: upgrade to version 14.0.3 or higher
• Spotfire Analyst 14.1.0, 14.2.0, 14.3.0: upgrade to version 14.4.0
• Spotfire Server 12.0.10 and earlier: upgrade to version 12.0.11
• Spotfire Server 12.1.0, 12.1.1, 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.0.1, 14.0.2, 14.0.3: upgrade to version 14.0.4 or higher
• Spotfire Server 14.2.0, 14.3.0: upgrade to version 14.4.0
• Spotfire for AWS Marketplace 14.3.0 and earlier: upgrade to version 14.4.0 or higher
References
https://community.spotfire.com/security-advisories/
CVE-2024-3330
Recommended Comments
There are no comments to display.