CVE-2017-5536 - OpenCVE

The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tibco	Datasynapse Gridserver Manager

Configuration 1 [-]

OR	cpe:2.3:a:tibco:datasynapse_gridserver_manager::::::::
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.0:::::::*
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.1:::::::*
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.2:::::::*
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.1.0:::::::*
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.1.1:::::::*
	cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.2.0:::::::*

References

Link	Resource
https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5536	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: tibco

Published: 2018-05-01T00:00:00

Updated: 2018-05-01T17:57:01

Reserved: 2017-01-19T00:00:00

Link: CVE-2017-5536

JSON object: View

NVD Information

Status : Modified

Published: 2018-05-01T18:29:00.540

Modified: 2019-10-09T23:28:23.667

Link: CVE-2017-5536

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "TIBCO DataSynapse GridServer Manager", "vendor": "TIBCO Software Inc.", "versions": [{"lessThanOrEqual": "5.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "6.0.0"}, {"status": "affected", "version": "6.0.1"}, {"status": "affected", "version": "6.0.2"}, {"status": "affected", "version": "6.1.0"}, {"status": "affected", "version": "6.1.1"}, {"status": "affected", "version": "6.2.0"}]}], "datePublic": "2018-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "The impact of this vulnerability includes the possibility that a malicious actor could gain access to a more privileged account on the affected components or the information managed by those components.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-01T17:57:01", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5536"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO DataSynapse GridServer Manager versions 5.1.3 and below update to version 5.2.0 or higher\nTIBCO DataSynapse GridServer Manager versions 6.0.0, 6.0.1, and 6.0.2 update to version 6.3.0 or higher\nTIBCO DataSynapse GridServer Manager versions 6.1.0, and 6.1.1 update to version 6.3.0 or higher\nTIBCO DataSynapse GridServer Manager version 6.2.0 update to version 6.3.0 or higher"}], "source": {"discovery": "UNKNOWN"}, "title": "TIBCO DataSynapse GridServer manager component vulnerable to cross-site scripting attacks", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2018-05-01T16:00:00.000Z", "ID": "CVE-2017-5536", "STATE": "PUBLIC", "TITLE": "TIBCO DataSynapse GridServer manager component vulnerable to cross-site scripting attacks"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO DataSynapse GridServer Manager", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "5.1.3"}, {"affected": "=", "version_affected": "=", "version_value": "6.0.0"}, {"affected": "=", "version_affected": "=", "version_value": "6.0.1"}, {"affected": "=", "version_affected": "=", "version_value": "6.0.2"}, {"affected": "=", "version_affected": "=", "version_value": "6.1.0"}, {"affected": "=", "version_affected": "=", "version_value": "6.1.1"}, {"affected": "=", "version_affected": "=", "version_value": "6.2.0"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "The impact of this vulnerability includes the possibility that a malicious actor could gain access to a more privileged account on the affected components or the information managed by those components."}]}]}, "references": {"reference_data": [{"name": "https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5536", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5536"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO DataSynapse GridServer Manager versions 5.1.3 and below update to version 5.2.0 or higher\nTIBCO DataSynapse GridServer Manager versions 6.0.0, 6.0.1, and 6.0.2 update to version 6.3.0 or higher\nTIBCO DataSynapse GridServer Manager versions 6.1.0, and 6.1.1 update to version 6.3.0 or higher\nTIBCO DataSynapse GridServer Manager version 6.2.0 update to version 6.3.0 or higher"}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2017-5536", "datePublished": "2018-05-01T00:00:00", "dateReserved": "2017-01-19T00:00:00", "dateUpdated": "2018-05-01T17:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC2BAE6B-9ED9-42CE-99B3-9CDDF18E8017", "versionEndIncluding": "5.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "93EA58BA-253F-4B2F-9FDD-77D83D83B2B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "72D6224E-023B-4BE9-B0F6-C9E1E95C08FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "663D8FE4-19D8-4FD9-8507-4DB72E28DEE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9562E33D-669A-47DA-B7CA-DF92BEE85163", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "21BE8EAE-97FE-45F4-BE02-82836C5CB737", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:datasynapse_gridserver_manager:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "812E2864-CFEA-4FF6-AB37-00A10FD5047E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0."}, {"lang": "es", "value": "Los componentes GridServer Broker y GridServer Director en TIBCO DataSynapse GridServer Manager de TIBCO Software Inc. contienen vulnerabilidades que podr\u00edan permitir a un usuario autenticado realizar Cross-Site Scripting (XSS). Adem\u00e1s, un usuario autenticado podr\u00eda ser v\u00edctima de un ataque Cross-Site Request Forgery (CSRF). Las distribuciones afectadas de TIBCO DataSynapse GridServer Manager de TIBCO Software Inc. son: todas las versiones hasta la 5.1.3, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1 y 6.2.0."}], "id": "CVE-2017-5536", "lastModified": "2019-10-09T23:28:23.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2018-05-01T18:29:00.540", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2018/05/security-advisory-may-1-2018-tibco-datasynapse-gridserver-2017-5536"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}