Security Advisory Regarding TIBCO JasperReports Server

Security Advisory Regarding TIBCO JasperReports Server

book

Article ID: KB0108044

calendar_today

Updated On:

Products Versions
TIBCO JasperReports Server 7.1.1

Description

TIBCO JasperReports Server Fails To Enforce Access Restrictions

  Original release date: May 19, 2020
  Last revised: ---
  Source: TIBCO Software Inc.

Description

  The component listed above contains a vulnerability that theoretically allows
  an unauthenticated attacker to obtain the permissions of a JasperReports
  Server "superuser" for the affected systems. The attacker can theoretically
  exploit the vulnerability consistently, remotely, and without authenticating.

Impact

  The impact of this vulnerability includes the possibility that an
  unauthenticated user obtains JasperReports Server "superuser" permission, and
  further might be able to execute arbitrary code with the system account that
  started the affected component.

  CVSS v3 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Environment

Systems Affected TIBCO JasperReports Server versions 7.1.1 and below TIBCO JasperReports Server for AWS Marketplace versions 7.1.1 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below The following component is affected: * administrative UI

Resolution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO JasperReports Server versions 7.1.1 and below update to version 7.1.3
    or higher

  TIBCO JasperReports Server for AWS Marketplace versions 7.1.1 and below
    update to version 7.2.0 or higher

  TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below
    update to version 7.1.3 or higher

Issue/Introduction

TIBCO JasperReports Server Fails To Enforce Access Restrictions

Additional Information

  http://www.tibco.com/services/support/advisories
  CVE-2020-9409
 
Powered by Wolken Software