TIBCO Hawk install-time password disclosure vulnerability
Original release date: May 14, 2024
Last revised: ---
CVE-2024-3182
Source: TIBCO Software Inc.
Products Affected
TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3.
Component Affected:
TIBCO Hawk Universal Installer including the Silent Installer
Description
The components listed above contain a vulnerability that allows the TIBCO Hawk user’s Enterprise Message Service (EMS) password to be exposed outside of the hawkagent.cfg and hawkevent.cfg config files.
Impact
The impact of this vulnerability includes the theoretical possibility that an attacker could access the message stream of the EMS server, or in the worst case, gain administrative access to the server. It is recommended that the EMS password utilized by the TIBCO Hawk components be changed as soon as possible.
CVSS v3 Base Score: 6.5 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Solution
Upgrade the TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 to 6.2.4.
References
https://community.tibco.com/advisories
CVE-2024-3182