Security Advisory regarding TIBCO JasperReports Library

Products	Versions
TIBCO JasperReports Server	-

Description

TIBCO JasperReports Library

Original release date: May 19, 2020
Last revised: ---
Source: TIBCO Software Inc.

Description

The component listed above contains a vulnerability that theoretically allows
an attacker to exploit HTML injection to gain full control of a web interface
containing the output of the report generator component with the privileges of
any user that views the affected report(s). The attacker can theoretically
exploit this vulnerability when other users view a maliciously generated
report, where those reports use Fusion Charts and a data source with contents
controlled by the attacker.

Impact

The impact of this vulnerability includes the possibility that an attacker
could gain full control of the web interface displaying a generated report.
Since the TIBCO JasperReports Library is used to generate reports as a
component of web interfaces, the theoretical impact of this vulnerability is
that the attacker can obtain the privileges of the highest privileged owner
that views a maliciously generated report.

CVSS v3 Base Score: 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)

Environment

Systems Affected TIBCO JasperReports Library versions 7.1.1 and below TIBCO JasperReports Library versions 7.2.0 and 7.2.1 TIBCO JasperReports Library version 7.3.0 TIBCO JasperReports Library version 7.5.0 TIBCO JasperReports Library for ActiveMatrix BPM versions 7.1.1 and below TIBCO JasperReports Server versions 7.1.1 and below TIBCO JasperReports Server version 7.2.0 TIBCO JasperReports Server version 7.5.0 TIBCO JasperReports Server for AWS Marketplace versions 7.5.0 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below The following component is affected: * report generator

Resolution

Solution

TIBCO has released updated versions of the affected systems which address this
issue:

TIBCO JasperReports Library versions 7.1.1 and below update to version 7.1.3
or higher
TIBCO JasperReports Library versions 7.2.0 and 7.2.1 update to version 7.2.2
or higher
TIBCO JasperReports Library version 7.3.0 update to version 7.3.1 or higher
TIBCO JasperReports Library version 7.5.0 update to version 7.5.1 or higher

TIBCO JasperReports Library for ActiveMatrix BPM versions 7.1.1 and below
update to version 7.1.3 or higher

TIBCO JasperReports Server versions 7.1.1 and below update to version 7.1.3
or higher
TIBCO JasperReports Server version 7.2.0 update to version 7.2.1 or higher
TIBCO JasperReports Server version 7.5.0 update to version 7.5.1 or higher

TIBCO JasperReports Server for AWS Marketplace versions 7.5.0 and below
update to version 7.5.1 or higher

TIBCO JasperReports Server for ActiveMatrix BPM versions 7.1.1 and below
update to version 7.1.3 or higher

Issue/Introduction

Security Advisory regarding TIBCO JasperReports Library

Additional Information

http://www.tibco.com/services/support/advisories
CVE-2020-9410

Welcome to "KB Articles"