TIBCO Managed File Transfer Platform Server for Unix and z/Linux privilege escalation vulnerability
Original release date: May 28, 2024
Last revised: ---
CVE-2024-4407
Source: TIBCO Software Inc.
Products Affected
TIBCO Managed File Transfer Platform Server for Unix versions 8.0.0, 8.0.1, 8.1.0, 8.1.1
TIBCO Managed File Transfer Platform Server for z/Linux versions 8.0.0, 8.0.1, 8.1.0, 8.1.1
Component Affected:
TIBCO Managed File Transfer Platform Server for Unix
Description
The components listed above contain a vulnerability that allows Platform Server clients to bypass user-id/password authentication and transfer files as root or execute commands as root.
Impact
The impact of this vulnerability includes the theoretical possibility that allows Platform Server clients to bypass user-id/password authentication and transfer files as root or even execute commands as root. For this issue to occur, the product configuration must deviate from the suggested Platform Server configuration standards. This issue only occurs when the Platform Server is started as root; when the Platform Server is started as non-root, files cannot be transferred as root, and commands cannot be executed as root.
CVSS v3 Base Score: 9.0 (Critical) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Solution
Upgrade the TIBCO Platform Server for UNIX to 8.0.2 or 8.1.2.
Upgrade the TIBCO Platform Server for z/Linux to 8.0.2 or 8.1.2
References
https://community.tibco.com/advisories/
CVE-2024-4407
