Security Advisory regarding TIBCO JasperReports Server
Article ID: KB0108080
Updated On:
| Products | Versions |
|---|---|
| TIBCO JasperReports Server | 6.4.0, 6.4.1, 6.4.1, 6.4.3 |
Description
TIBCO JasperReports Server User Information Disclosure
Original release date: March 6, 2019
Last revised: --
Source: TIBCO Software Inc.
Description
The component listed above contains a vulnerability that theoretically allows
unauthenticated users to bypass authorization checks for portions of the
HTTP interface to the JasperReports Server.
Impact
The impact of this vulnerability includes the theoretical possibility of
unauthenticated read access to the contents of the host system, when combined
with the vulnerability identified by CVE-2018-18809.
CVSS v3 Base Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Original release date: March 6, 2019
Last revised: --
Source: TIBCO Software Inc.
Description
The component listed above contains a vulnerability that theoretically allows
unauthenticated users to bypass authorization checks for portions of the
HTTP interface to the JasperReports Server.
Impact
The impact of this vulnerability includes the theoretical possibility of
unauthenticated read access to the contents of the host system, when combined
with the vulnerability identified by CVE-2018-18809.
CVSS v3 Base Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Issue/Introduction
Security Advisory regarding TIBCO JasperReports Server
Environment
Systems Affected
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
TIBCO JasperReports Server version 7.1.0
TIBCO JasperReports Server Community Edition versions 7.1.0 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
The following components are affected:
* REST API
Resolution
Solution
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
version 6.4.4 or higher
TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Server Community Edition versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
update to version 6.4.4 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
version 6.4.4 or higher
TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Server Community Edition versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
update to version 6.4.4 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
update to version 7.1.1 or higher
Additional Information
Acknowledgments
TIBCO would like to extend its appreciation to Steven Seeley (mr_me) of
Source Incite working with Trend Micro Zero Day Initiative for discovery of
this vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE-2018-18815
See also: CVE-2018-18809
TIBCO would like to extend its appreciation to Steven Seeley (mr_me) of
Source Incite working with Trend Micro Zero Day Initiative for discovery of
this vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE-2018-18815
See also: CVE-2018-18809
Feedback
Yes
No
Powered by
