Sign-up

ID

VAR-201908-1787


CVE

CVE-2019-11208


TITLE

TIBCO Software Inc. TIBCO API Exchange Gateway and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric Authorization vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-007853

DESCRIPTION

The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions. TIBCO Software Inc. The platform mainly provides functions such as high-speed receiving, routing and forwarding of requests, and routing of requests between requesters and service endpoints. An attacker could exploit this vulnerability to elevate privileges

Trust: 1.71

sources: NVD: CVE-2019-11208 // JVNDB: JVNDB-2019-007853 // VULHUB: VHN-142831

AFFECTED PRODUCTS

vendor:tibcomodel:api exchange gatewayscope:lteversion:2.3.1

Trust: 1.8

vendor:tibcomodel:api exchange gatewayscope:lteversion:distribution for tibco silver fabric 2.3.1

Trust: 0.8

sources: JVNDB: JVNDB-2019-007853 // NVD: CVE-2019-11208

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11208
value: CRITICAL

Trust: 1.0

security@tibco.com: CVE-2019-11208
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-11208
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201908-576
value: CRITICAL

Trust: 0.6

VULHUB: VHN-142831
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-11208
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-142831
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11208
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.1

Trust: 1.0

security@tibco.com: CVE-2019-11208
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 2.7
version: 3.0

Trust: 1.0

NVD: CVE-2019-11208
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-142831 // JVNDB: JVNDB-2019-007853 // CNNVD: CNNVD-201908-576 // NVD: CVE-2019-11208 // NVD: CVE-2019-11208

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-285

Trust: 0.9

sources: VULHUB: VHN-142831 // JVNDB: JVNDB-2019-007853 // NVD: CVE-2019-11208

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-576

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201908-576

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-007853

PATCH
title:Security Advisoriesurl:https://www.tibco.com/services/support/advisories
Trust: 0.8
title:TIBCO Security Advisory: August 7, 2019 - TIBCO API Exchangeurl:https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange
Trust: 0.8
title:TIBCO API Exchange Gateway  and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric Repair measures for authorization module security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96273
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-007853 // 
            
            
            
            CNNVD: CNNVD-201908-576

EXTERNAL IDS
db:NVDid:CVE-2019-11208
Trust: 2.5
db:JVNDBid:JVNDB-2019-007853
Trust: 0.8
db:CNNVDid:CNNVD-201908-576
Trust: 0.7
db:VULHUBid:VHN-142831
Trust: 0.1
sources:
            
            
            VULHUB: VHN-142831 // 
            
            
            
            JVNDB: JVNDB-2019-007853 // 
            
            
            
            CNNVD: CNNVD-201908-576 // 
            
            
            
            NVD: CVE-2019-11208

REFERENCES
url:https://www.tibco.com/support/advisories/2019/08/tibco-security-advisory-august-7-2019-tibco-api-exchange
Trust: 1.7
url:http://www.tibco.com/services/support/advisories
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-11208
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11208
Trust: 0.8
sources:
            
            
            VULHUB: VHN-142831 // 
            
            
            
            JVNDB: JVNDB-2019-007853 // 
            
            
            
            CNNVD: CNNVD-201908-576 // 
            
            
            
            NVD: CVE-2019-11208

SOURCES
db:VULHUBid:VHN-142831
db:JVNDBid:JVNDB-2019-007853
db:CNNVDid:CNNVD-201908-576
db:NVDid:CVE-2019-11208

LAST UPDATE DATE
2024-11-23T22:58:35.748000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-142831date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-007853date:2019-08-21T00:00:00
db:CNNVDid:CNNVD-201908-576date:2020-08-25T00:00:00
db:NVDid:CVE-2019-11208date:2024-11-21T04:20:43.777

SOURCES RELEASE DATE
db:VULHUBid:VHN-142831date:2019-08-08T00:00:00
db:JVNDBid:JVNDB-2019-007853date:2019-08-21T00:00:00
db:CNNVDid:CNNVD-201908-576date:2019-08-08T00:00:00
db:NVDid:CVE-2019-11208date:2019-08-08T16:15:11.103