Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Spotfire Security Advisory: April 08, 2025: Spotfire - CVE-2025-3115

JASON STEPHENS
  • Updated

Products

Spotfire Analyst versions 14.0.5 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1

Summary

Security Advisory regarding Spotfire Code Execution Vulnerability

Details
Spotfire Security Advisory: April 08, 2025: Spotfire - CVE-2025-3114
Spotfire Code Execution Vulnerability

Original release date: April 08, 2025
Last revised: —
CVE-2025-3114
Source: Cloud Software Group Inc.

Description

Below are the Vulnerabilities that have been identified in Spotfire, which could allow attackers to execute arbitrary code:

Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise.

Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.

Impact

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security controls, and compromise the system.

CVSS v4.0 Base Score: 9.4 (Critical)
(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Resolution

Cloud Software Group has released updated versions of the affected systems which address this issue:

  • Spotfire Enterprise Runtime for R 6.1.4 and earlier: upgrade to version 6.1.5 or higher
  • Spotfire Statistics Services 14.0.6 and earlier: upgrade to version 14.0.7 or higher
  • Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
  • Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier: upgrade to version 1.17.7 or higher
  • Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1: upgrade to version 1.22.2 or higher
  • Spotfire Analyst 14.0.5 and earlier: upgrade to version 14.0.6 or higher
  • Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
  • Deployment Kit used in Spotfire Server 14.0.6 and earlier: apply Deployment Kit in Spotfire Server version 14.0.7 or higher
  • Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: apply Deployment Kit in
  • Spotfire Server version 14.4.2 or higher
  • Spotfire Desktop 14.4.1 and earlier: upgrade to version 14.4.2 or higher
  • Spotfire for AWS Marketplace 14.4.1 and earlier: upgrade to version 14.4.2 or higher

Environment
Products Affected

  • Spotfire Enterprise Runtime for R 6.1.4 and earlier
  • Spotfire Statistics Services 14.0.6 and earlier
  • Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
  • Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier
  • Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1
  • Spotfire Analyst 14.0.5 and earlier
  • Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
  • Deployment Kit used in Spotfire Server 14.0.6 and earlier
  • Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
  • Spotfire Desktop 14.4.1 and earlier
  • Spotfire for AWS Marketplace 14.4.1 and earlier

Reference
https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/

 

 

Products Versions
Spotfire Analyst

14.0.5 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1

 

 

 

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.