Security Advisory Regarding TIBCO JasperReports
Article ID: KB0108002
Updated On:
| Products | Versions |
|---|---|
| TIBCO JasperReports Server | 7.2.1 and below, 7.5.0 and 7.5.1, 7.8.0, 7.9.0 |
Description
TIBCO JasperReports XML Eternal Entity (XXE) vulnerability
Original release date: October 12, 2021
Last revised: November 2, 2021
Source: TIBCO Software Inc.
Description
The component listed above contains a difficult to exploit vulnerability that
allows a low privileged attacker with network access to interfere with XML
processing in the affected component.
Impact
Successful execution of this vulnerability can result in unauthorized read,
update, insert or delete access to the affected systems data and the ability
to cause a denial of service (DOS) on the affected system.
CVSS v3 Base Score: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Environment
Products Affected
TIBCO JasperReports Server versions 7.2.1 and below
TIBCO JasperReports Server versions 7.5.0 and 7.5.1
TIBCO JasperReports Server version 7.8.0
TIBCO JasperReports Server version 7.9.0
TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
TIBCO JasperReports Server for Microsoft Azure version 7.8.0
The following component is affected:
* XMLA Connections
Resolution
TIBCO has released updated versions of the affected systems which address this
issue:
TIBCO JasperReports Server versions 7.2.1 and below update to version 7.2.2
or later
TIBCO JasperReports Server versions 7.5.0 and 7.5.1 update to version 7.5.2
or later
TIBCO JasperReports Server version 7.8.0 update to version 7.8.1 or later
TIBCO JasperReports Server version 7.9.0 update to version 7.9.1 or later
TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
update to version 7.8.1 or later
TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
update to version 7.9.1 or later
TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
update to version 7.9.1 or later
TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
update to version 7.9.1 or later
TIBCO JasperReports Server for Microsoft Azure version 7.8.0 update to
version 7.9.1 or later
Issue/Introduction
TIBCO JasperReports XML Eternal Entity (XXE) vulnerability
Additional Information
Acknowledgments
TIBCO would like to extend its appreciation to Dr. Florian Hauser, CODE WHITE
GmbH for discovery of this vulnerability.
References
https://www.tibco.com/services/support/advisories
CVE-2021-35496
TIBCO would like to extend its appreciation to Dr. Florian Hauser, CODE WHITE
GmbH for discovery of this vulnerability.
References
https://www.tibco.com/services/support/advisories
CVE-2021-35496
Feedback
Yes
No
Powered by
