CVE-2021-43052

11.01.2022, 19:15

The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains an easily exploitable vulnerability that allows authentication bypass due to a hard coded secret used in the default realm server of the affected system. Affected releases are TIBCO Software Inc.'s TIBCO FTL - Community Edition: versions 6.7.2 and below, TIBCO FTL - Developer Edition: versions 6.7.2 and below, and TIBCO FTL - Enterprise Edition: versions 6.7.2 and below.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.3 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
tibco	CNA	9.3 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 45%

Vendor	Product	Version
tibco	ftl	𝑥 ≤ 6.7.2
tibco	ftl	𝑥 ≤ 6.7.2
tibco	ftl	𝑥 ≤ 6.7.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-798 - Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

https://www.tibco.com/services/support/advisories

https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43052

https://www.tibco.com/services/support/advisories

https://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43052