CVE-2019-11208 - OpenCVE

The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tibco	Api Exchange Gateway

Configuration 1 [-]

OR	cpe:2.3:a:tibco:api_exchange_gateway::::::::
	cpe:2.3:a:tibco:api_exchange_gateway::::::silver_fabric::*

References

Link	Resource
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: tibco

Published: 2019-08-07T00:00:00

Updated: 2019-08-08T15:36:52

Reserved: 2019-04-12T00:00:00

Link: CVE-2019-11208

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-08-08T16:15:11.103

Modified: 2023-03-29T16:20:40.710

Link: CVE-2019-11208

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "TIBCO API Exchange Gateway", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "2.3.1 and prior"}]}, {"product": "TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric", "vendor": "TIBCO Software Inc.", "versions": [{"status": "affected", "version": "2.3.1 and prior"}]}], "datePublic": "2019-08-07T00:00:00", "descriptions": [{"lang": "en", "value": "The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "The impact of this vulnerability includes the theoretical possibility that an attacker could gain access to all scopes defined for a given customer endpoint.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-08T15:36:52", "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "shortName": "tibco"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.tibco.com/services/support/advisories"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange"}], "solutions": [{"lang": "en", "value": "TIBCO has released updated versions of the affected systems which address these issues.\n\nTIBCO API Exchange Gateway versions 2.3.1 and below update to version 2.3.2 or higher\nTIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric versions 2.3.1 and below update to version 2.3.2 or higher\n"}], "source": {"discovery": "INTERNAL"}, "title": "TIBCO API Exchange Processes OAuth Incorrectly", "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@tibco.com", "DATE_PUBLIC": "2019-08-07T16:00:00.000Z", "ID": "CVE-2019-11208", "STATE": "PUBLIC", "TITLE": "TIBCO API Exchange Processes OAuth Incorrectly"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIBCO API Exchange Gateway", "version": {"version_data": [{"version_value": "2.3.1 and prior"}]}}, {"product_name": "TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric", "version": {"version_data": [{"version_value": "2.3.1 and prior"}]}}]}, "vendor_name": "TIBCO Software Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "The impact of this vulnerability includes the theoretical possibility that an attacker could gain access to all scopes defined for a given customer endpoint."}]}]}, "references": {"reference_data": [{"name": "http://www.tibco.com/services/support/advisories", "refsource": "MISC", "url": "http://www.tibco.com/services/support/advisories"}, {"name": "https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange", "refsource": "CONFIRM", "url": "https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange"}]}, "solution": [{"lang": "en", "value": "TIBCO has released updated versions of the affected systems which address these issues.\n\nTIBCO API Exchange Gateway versions 2.3.1 and below update to version 2.3.2 or higher\nTIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric versions 2.3.1 and below update to version 2.3.2 or higher\n"}], "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db", "assignerShortName": "tibco", "cveId": "CVE-2019-11208", "datePublished": "2019-08-07T00:00:00", "dateReserved": "2019-04-12T00:00:00", "dateUpdated": "2019-08-08T15:36:52", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tibco:api_exchange_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F1CE8CD-A5E5-493A-A468-EE13C047529B", "versionEndIncluding": "2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tibco:api_exchange_gateway:*:*:*:*:*:silver_fabric:*:*", "matchCriteriaId": "7535269E-0EB8-47A9-BBDF-4C0612DAB863", "versionEndIncluding": "2.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions."}, {"lang": "es", "value": "El componente de autorizaci\u00f3n de TIBCO Software Inc. TIBCO API Exchange Gateway y TIBCO API Exchange Gateway Distribuci\u00f3n para TIBCO Silver Fabric contiene una vulnerabilidad que te\u00f3ricamente procesa la autorizaci\u00f3n de OAuth incorrectamente, lo que lleva a una posible escalada de privilegios para el punto final espec\u00edfico del cliente, cuando la implementaci\u00f3n utiliza m\u00faltiples \u00e1mbitos. Este problema afecta a: TIBCO Software Inc., TIBCO API Exchange Gateway versi\u00f3n 2.3.1 y versiones anteriores, y TIBCO API Exchange Gateway Distribuci\u00f3n para TIBCO Silver Fabric versi\u00f3n 2.3.1 y versiones anteriores."}], "id": "CVE-2019-11208", "lastModified": "2023-03-29T16:20:40.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@tibco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-08T16:15:11.103", "references": [{"source": "security@tibco.com", "tags": ["Vendor Advisory"], "url": "http://www.tibco.com/services/support/advisories"}, {"source": "security@tibco.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange"}], "sourceIdentifier": "security@tibco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}