CVE-2024-3330

Name of the Vulnerable Software and Affected Versions: Spotfire Analyst versions 12.0.9 through 12.5.0 Spotfire Analyst versions 14.0 through 14.0.2 Spotfire Server versions 12.0.10 through 12.5.0 Spotfire Server versions 14.0 through 14.0.3 Spotfire Server versions 14.2.0 through 14.3.0 Spotfire for AWS Marketplace versions 14.0 through 14.3.0

Description: The issue is related to insufficient input validation in components of the Spotfire platform, allowing a remote attacker to execute arbitrary code. Successful exploitation requires human interaction from a person other than the attacker in the case of the installed Windows client. In the case of the Web player, exploitation allows the attacker to run arbitrary code as the account running the Web player process. For Automation Services, exploitation enables the attacker to run arbitrary code via these services.

Recommendations: For Spotfire Analyst versions 12.0.9 through 12.5.0, update to a version outside of this range to mitigate the risk. For Spotfire Analyst versions 14.0 through 14.0.2, update to a version outside of this range to mitigate the risk. For Spotfire Server versions 12.0.10 through 12.5.0, update to a version outside of this range to mitigate the risk. For Spotfire Server versions 14.0 through 14.0.3, update to a version outside of this range to mitigate the risk. For Spotfire Server versions 14.2.0 through 14.3.0, update to a version outside of this range to mitigate the risk. For Spotfire for AWS Marketplace versions 14.0 through 14.3.0, update to a version outside of this range to mitigate the risk.