We use cookies to improve your experience on our site.
AVID-2026-R0723
Description
TIBCO Spotfire Windows Platform Artifact Search vulnerability (CVE-2021-28830)
Details
The TIBCO Spotfire Server and TIBCO Enterprise Runtime for R components of TIBCO Software Inc.’s TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Enterprise Runtime for R - Server Edition, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Server, TIBCO Spotfire Statistics Services, TIBCO Spotfire Statistics Services, and TIBCO Spotfire Statistics Services contain a vulnerability that theoretically allows a low privileged attacker with local access on the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from the affected component searching for run-time artifacts outside of the installation hierarchy. Affected releases are TIBCO Software Inc.’s TIBCO Enterprise Runtime for R - Server Edition: versions 1.2.4 and below, TIBCO Enterprise Runtime for R - Server Edition: versions 1.3.0 and 1.3.1, TIBCO Enterprise Runtime for R - Server Edition: versions 1.4.0, 1.5.0, and 1.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 11.3.0 and below, TIBCO Spotfire Server: versions 10.3.12 and below, TIBCO Spotfire Server: versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, 10.10.1, 10.10.2, 10.10.3, and 10.10.4, TIBCO Spotfire Server: versions 11.0.0, 11.1.0, 11.2.0, and 11.3.0, TIBCO Spotfire Statistics Services: versions 10.3.0 and below, TIBCO Spotfire Statistics Services: versions 10.10.0, 10.10.1, and 10.10.2, and TIBCO Spotfire Statistics Services: versions 11.1.0, 11.2.0, and 11.3.0.
Reason for inclusion in AVID: CVE-2021-28830 describes a software vulnerability in TIBCO Spotfire and TIBCO Enterprise Runtime for R components, which are used in analytics pipelines and AI-related workflows (R runtime, Spotfire server, statistics services). It enables a low-privileged, locally authenticated attacker to execute malicious code with elevated privileges by abusing artifact search outside the installation hierarchy. This is a software supply-chain-relevant issue in components that can be used to build/run AI systems, and it is a (local) security vulnerability with clear exploitability signals. Therefore it should be kept for AVID curation as a vulnerability in the AI software supply chain.
References
- NVD entry
- http://www.tibco.com/services/support/advisories
- https://www.tibco.com/support/advisories/2021/06/tibco-security-advisory-june-29-2021-tibco-spotfire-2021-28830
Affected or Relevant Artifacts
- Developer: TIBCO Software Inc.
- Deployer: TIBCO Software Inc.
- Artifact Details:
| Type | Name |
|---|---|
| System | TIBCO Enterprise Runtime for R - Server Edition |
| System | TIBCO Enterprise Runtime for R - Server Edition |
| System | TIBCO Enterprise Runtime for R - Server Edition |
| System | TIBCO Spotfire Analytics Platform for AWS Marketplace |
| System | TIBCO Spotfire Server |
| System | TIBCO Spotfire Server |
| System | TIBCO Spotfire Server |
| System | TIBCO Spotfire Statistics Services |
| System | TIBCO Spotfire Statistics Services |
| System | TIBCO Spotfire Statistics Services |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 8.8 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2021-06-29
- Version: 0.3.3
- AVID Entry