CVE-2020-9408

Name of the Vulnerable Software and Affected Versions TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and below TIBCO Spotfire Server versions 7.11.9 and below TIBCO Spotfire Server versions 7.12.0 through 10.8.0

Description The Spotfire library component contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes.

Recommendations For TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and below, update to a version above 10.8.0. For TIBCO Spotfire Server versions 7.11.9 and below, update to a version above 7.11.9. For TIBCO Spotfire Server versions 7.12.0 through 10.8.0, update to a version above 10.8.0. As a temporary workaround, consider restricting write permissions to the Spotfire Library to minimize the risk of exploitation.