TIBCO JasperReports Server Fails To Enforce Access Restrictions
CVE-2020-9409

9.8CRITICAL

Key Information:

Vendor: Tibco
Status: Tibco Jasperreports Server; Tibco Jasperreports Server For Aws Marketplace; Tibco Jasperreports Server For Activematrix Bpm
Vendor: CVE Published:; 20 May 2020

Summary

The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.

Affected Version(s)

TIBCO JasperReports Server <= 7.1.1

TIBCO JasperReports Server for ActiveMatrix BPM <= 7.1.1

TIBCO JasperReports Server for AWS Marketplace <= 7.1.1

References

http://www.tibco.com/services/support/advisories

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 20, 2020
Vulnerability Reserved
Feb 26, 2020

Collectors

NVD DatabaseMitre Database