CVE-2025-3114 — Code Injection in Deployment KIT Used IN Spotfire Server

CWE-94 — Code Injection CWE-693 — Protection Mechanism Failure CWE-476 — NULL Pointer Dereference CWE-682 — Incorrect Calculation5 documents4 sources

Severity

9.4CRITICALNVD

EPSS

0.6%

top 31.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spotfire Deployment KIT Used IN Spotfire Server Spotfire Analyst Spotfire Desktop +3 more

Timeline

PublishedApr 9

Description

Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages6 packages

▶CVEListV5spotfire/spotfire_analyst14 — 0.5+5

▶CVEListV5spotfire/spotfire_desktop14 — 4.1

▶CVEListV5spotfire/spotfire_statistics_services14 — 0.6+5

▶CVEListV5spotfire/spotfire_enterprise_runtime_for_r6 — 1.4

▶CVEListV5spotfire/deployment_kit_used_in_spotfire_server14 — 0.6+5

🔴Vulnerability Details

GHSA

GHSA-v6v7-m3w9-36g8: Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validat↗2025-04-09

▶

CVEList

Spotfire Code Execution Vulnerability↗2025-04-09

▶

📋Vendor Advisories

Microsoft

An issue was discovered in the Linux kernel through 5.16-rc6. imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the return value of kcalloc() and will cause the null pointer dereference↗2022-12-13

▶

Microsoft

In Go before 1.14.14 and 1.15.x before 1.15.7 crypto/elliptic/p224.go can generate incorrect outputs related to an underflow of the lowest limb during the final complete reduction in the P-224 field.↗2021-01-12

▶