CVE-2018-5428 - OpenCVE

The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Tibco	Data Virtualization

Configuration 1 [-]

OR	cpe:2.3:a:tibco:data_virtualization:7.0.5:::::::*
	cpe:2.3:a:tibco:data_virtualization:7.0.6:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/104518	Third Party Advisory VDB Entry
https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-20-2018-tibco-data-virtualization	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: tibco

Published: 2018-06-20T00:00:00

Updated: 2018-06-22T09:57:01

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5428

JSON object: View

NVD Information

Status : Modified

Published: 2018-06-20T18:29:00.437

Modified: 2019-10-09T23:41:19.953

Link: CVE-2018-5428

JSON object: View

Redhat Information

No data.

CWE

CWE-77

{"containers": {"cna": {"affected": [{"product": "TIBCO Data Virtualization", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "7.0.5"}, {"status": "affected", "version": "7.0.6"}]}], "datePublic": "2018-06-20T00:00:00", "descriptions": [{"lang": "en", "value": "The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "The impact of the vulnerability includes the theoretical possibility of disclosing contents of files on the host machine that are accessible to the operating system account used to run the affected component.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-22T09:57:01", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-20-2018-tibco-data-virtualization"}, {"name": "104518", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104518"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n* TIBCO Data Virtualization versions 7.0.5 and 7.0.6 update to version 7.0.7 or higher.\n"}], "source": {"discovery": "USER"}, "title": "TIBCO Data Virtualization Command Injection Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2018-06-20T16:00:00.000Z", "ID": "CVE-2018-5428", "STATE": "PUBLIC", "TITLE": "TIBCO Data Virtualization Command Injection Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO Data Virtualization", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_value": "7.0.5"}, {"affected": "=", "version_affected": "=", "version_value": "7.0.6"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "The impact of the vulnerability includes the theoretical possibility of disclosing contents of files on the host machine that are accessible to the operating system account used to run the affected component."}]}]}, "references": {"reference_data": [{"name": "https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-20-2018-tibco-data-virtualization", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-20-2018-tibco-data-virtualization"}, {"name": "104518", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104518"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n* TIBCO Data Virtualization versions 7.0.5 and 7.0.6 update to version 7.0.7 or higher.\n"}], "source": {"discovery": "USER"}}}}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2018-5428", "datePublished": "2018-06-20T00:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2018-06-22T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:data_virtualization:7.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "7A240275-FDCD-403F-9B3D-1AE8BF406699", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:data_virtualization:7.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "E7404124-5EF5-473E-85D0-08258399E97C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6."}, {"lang": "es", "value": "El componente del adaptador de control de versiones de TIBCO Data Virtualization (antes conocido como Cisco Information Server) contiene vulnerabilidades que podr\u00edan permitir la ejecuci\u00f3n de comandos arbitrarios. Las versiones afectadas de TIBCO Data Virtualization son la 7.0.5 y la 7.0.6."}], "id": "CVE-2018-5428", "lastModified": "2019-10-09T23:41:19.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@tibco.com", "type": "Secondary"}]}, "published": "2018-06-20T18:29:00.437", "references": [{"source": "security@tibco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104518"}, {"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-20-2018-tibco-data-virtualization"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}