Security Advisory Regarding TIBCO JasperReports

Security Advisory Regarding TIBCO JasperReports

book

Article ID: KB0108006

calendar_today

Updated On:

Products Versions
TIBCO JasperReports Server 7.2.1 and below, 7.5.0 and 7.5.1, 7.8.0, 7.9.0

Description

TIBCO JasperReports FTP Password exposed

  Original release date: October 12, 2021
  Last revised: ---
  Source: TIBCO Software Inc.

Description

  The component listed above contains an easily exploitable vulnerability that
  allows an authenticated attacker with network access to obtain FTP server
  passwords for other users of the affected system.


Impact

  Successful execution of this vulnerability can result in an attacker gaining
  access to the victim’s FTP server at the privilege level of the victim.

  CVSS v3 Base Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Environment

Products Affected TIBCO JasperReports Server versions 7.2.1 and below TIBCO JasperReports Server versions 7.5.0 and 7.5.1 TIBCO JasperReports Server version 7.8.0 TIBCO JasperReports Server version 7.9.0 TIBCO JasperReports Server - Community Edition versions 7.8.0 and below TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below TIBCO JasperReports Server for Microsoft Azure version 7.8.0 The following component is affected: * Scheduler Connection

Resolution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO JasperReports Server versions 7.2.1 and below update to version 7.2.2
    or later

  TIBCO JasperReports Server versions 7.5.0 and 7.5.1 update to version 7.5.2
    or later

  TIBCO JasperReports Server version 7.8.0 update to version 7.8.1 or later

  TIBCO JasperReports Server version 7.9.0 update to version 7.9.1 or later

  TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
    update to version 7.8.1 or later

  TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for Microsoft Azure version 7.8.0 update to
    version 7.9.1 or later
 

Issue/Introduction

Security Advisory Regarding TIBCO JasperReports FTP Password exposed

Additional Information

  https://www.tibco.com/services/support/advisories
  CVE-2021-35495