TIBCO JasperReports Library Directory Traversal Vulnerability
CVE-2018-18809

9.9CRITICAL

Key Information:

Vendor: Tibco
Status: Tibco Jasperreports Library; Tibco Jasperreports Library Community Edition; Tibco Jasperreports Library For Activematrix Bpm; Tibco Jasperreports Server
Vendor: CVE Published:; 7 March 2019

Badges

👾 Exploit Exists🟣 EPSS 47%🦅 CISA Reported

Summary

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

TIBCO JasperReports Library <= 6.3.4

TIBCO JasperReports Library 6.4.1

TIBCO JasperReports Library 6.4.2

References

http://www.tibco.com/services/support/advisories

x_refsource_MISC

https://www.tibco.com/support/advisories/2019/03/tibco-se...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/107351

vdb-entryx_refsource_BID

EPSS Score

47% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit known to exist
Dec 29, 2022
🦅
CISA Reported
Dec 29, 2022
Vulnerability published
Mar 7, 2019
Vulnerability Reserved
Oct 29, 2018

Collectors

NVD DatabaseMitre DatabaseCISA Database

Credit

TIBCO would like to extend its appreciation to Elar Lang of Clarified Security and Sathish Kumar Balakrishnan from Cyber Security Works Pvt Ltd for discovery of this vulnerability.