CVE-2025-3115 — Code Injection in Deployment KIT Used IN Spotfire Server

CWE-94 — Code Injection CWE-476 — NULL Pointer Dereference CWE-427 — Uncontrolled Search Path Element5 documents4 sources

Severity

9.4CRITICALNVD

EPSS

0.9%

top 24.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spotfire Deployment KIT Used IN Spotfire Server Spotfire Analyst Spotfire Desktop +10 more

Timeline

PublishedApr 9

Description

Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages13 packages

▶NVDtibco/spotfire_analyst< 14.0.6+5

▶NVDtibco/spotfire_desktop< 14.4.2

▶CVEListV5spotfire/spotfire_analyst14.0 — 14.0.6+5

▶CVEListV5spotfire/spotfire_desktop14.4 — 14.4.2

▶NVDtibco/spotfire_deployment_kit< 14.0.7+5

🔴Vulnerability Details

GHSA

GHSA-4gxx-54gw-qwch: Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions↗2025-04-09

▶

CVEList

Spotfire Data Function Vulnerability↗2025-04-09

▶

📋Vendor Advisories

Microsoft

An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer derefe↗2022-12-13

▶

Microsoft

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example cg↗2021-01-12

▶