Products
Spotfire Analyst versions 14.0.5 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
Summary
Security Advisory regarding Spotfire Code Execution Vulnerability
Details
Spotfire Security Advisory: April 08, 2025: Spotfire - CVE-2025-3114
Spotfire Code Execution Vulnerability
Original release date: April 08, 2025
Last revised: —
CVE-2025-3114
Source: Cloud Software Group Inc.
Description
Below are the Vulnerabilities that have been identified in Spotfire, which could allow attackers to execute arbitrary code:
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.
Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
Impact
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security controls, and compromise the system.
CVSS v4.0 Base Score: 9.4 (Critical)
(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Resolution
Cloud Software Group has released updated versions of the affected systems which address this issue:
- Spotfire Enterprise Runtime for R 6.1.4 and earlier: upgrade to version 6.1.5 or higher
- Spotfire Statistics Services 14.0.6 and earlier: upgrade to version 14.0.7 or higher
- Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
- Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier: upgrade to version 1.17.7 or higher
- Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1: upgrade to version 1.22.2 or higher
- Spotfire Analyst 14.0.5 and earlier: upgrade to version 14.0.6 or higher
- Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
- Deployment Kit used in Spotfire Server 14.0.6 and earlier: apply Deployment Kit in Spotfire Server version 14.0.7 or higher
- Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: apply Deployment Kit in
- Spotfire Server version 14.4.2 or higher
- Spotfire Desktop 14.4.1 and earlier: upgrade to version 14.4.2 or higher
- Spotfire for AWS Marketplace 14.4.1 and earlier: upgrade to version 14.4.2 or higher
Environment
Products Affected
- Spotfire Enterprise Runtime for R 6.1.4 and earlier
- Spotfire Statistics Services 14.0.6 and earlier
- Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
- Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier
- Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1
- Spotfire Analyst 14.0.5 and earlier
- Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
- Deployment Kit used in Spotfire Server 14.0.6 and earlier
- Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
- Spotfire Desktop 14.4.1 and earlier
- Spotfire for AWS Marketplace 14.4.1 and earlier