Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-35497

Improper Certificate Validation

Published: Oct 05, 2021 | Modified: Apr 18, 2022
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6 MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-35497
CWEhttps://cwe.mitre.org/data/definitions/295.html

The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, TIBCO ActiveSpaces - Enterprise Edition, TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL - Enterprise Edition, TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contain a vulnerability that theoretically allows a non-administrative, authenticated FTL user to trick the affected components into creating illegitimate certificates. These maliciously generated certificates can be used to enable man-in-the-middle attacks or to escalate privileges so that the malicious user has administrative privileges. Affected releases are TIBCO Software Inc.s TIBCO ActiveSpaces - Community Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Developer Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Enterprise Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO FTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, and TIBCO eFTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Activespaces Tibco 4.3.0 (including) 4.3.0 (including)
Activespaces Tibco 4.4.0 (including) 4.4.0 (including)
Activespaces Tibco 4.5.0 (including) 4.5.0 (including)
Activespaces Tibco 4.6.0 (including) 4.6.0 (including)
Activespaces Tibco 4.6.1 (including) 4.6.1 (including)
Activespaces Tibco 4.6.2 (including) 4.6.2 (including)
Eftl Tibco 6.2.0 (including) 6.2.0 (including)
Eftl Tibco 6.3.0 (including) 6.3.0 (including)
Eftl Tibco 6.3.1 (including) 6.3.1 (including)
Eftl Tibco 6.4.0 (including) 6.4.0 (including)
Eftl Tibco 6.5.0 (including) 6.5.0 (including)
Eftl Tibco 6.6.0 (including) 6.6.0 (including)
Eftl Tibco 6.6.1 (including) 6.6.1 (including)
Eftl Tibco 6.7.0 (including) 6.7.0 (including)
Ftl Tibco 6.2.0 (including) 6.2.0 (including)
Ftl Tibco 6.3.0 (including) 6.3.0 (including)
Ftl Tibco 6.3.1 (including) 6.3.1 (including)
Ftl Tibco 6.4.0 (including) 6.4.0 (including)
Ftl Tibco 6.5.0 (including) 6.5.0 (including)
Ftl Tibco 6.6.0 (including) 6.6.0 (including)
Ftl Tibco 6.6.1 (including) 6.6.1 (including)
Ftl Tibco 6.7.0 (including) 6.7.0 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use