TIBCO JasperReports Server RCE Vulnerability
CVE-2022-41561

9.1CRITICAL

Key Information:

Vendor
Tibco
Status
Tibco Jasperreports Server
Tibco Jasperreports Server - Community Edition
Tibco Jasperreports Server - Developer Edition
Tibco Jasperreports Server For Aws Marketplace
Vendor
CVE Published:
13 December 2022

Summary

The JNDI Data Sources component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for Microsoft Azure, and TIBCO JasperReports Server for Microsoft Azure contains an easily exploitable vulnerability that allows a privileged/administrative attacker with network access to execute Remote Code Execution to obtain a reverse shell on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 8.0.2 and below, TIBCO JasperReports Server: version 8.1.0, TIBCO JasperReports Server - Community Edition: versions 8.1.0 and below, TIBCO JasperReports Server - Developer Edition: versions 8.1.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.2 and below, TIBCO JasperReports Server for AWS Marketplace: version 8.1.0, TIBCO JasperReports Server for Microsoft Azure: versions 8.0.2 and below, and TIBCO JasperReports Server for Microsoft Azure: version 8.1.0.

Affected Version(s)

TIBCO JasperReports Server <= 8.0.2

TIBCO JasperReports Server 8.1.0

TIBCO JasperReports Server - Community Edition <= 8.1.0

References

https://www.tibco.com/services/support/advisories
https://www.tibco.com/support/advisories/2022/12/tibco-se...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.