TIBCO JasperReports unauthorized access to temporary object
Original release date: October 12, 2021 Last revised: --- Source: TIBCO Software Inc.
Description
The components listed above contain a race condition that allows a low privileged authenticated attacker via the REST API to obtain read access to temporary objects created by other users on the affected system.
Impact
Successful execution of this vulnerability results in the attacker gaining unauthorized read access to the data of other users on the affected system.
CVSS v3 Base Score: 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Issue/Introduction
TIBCO JasperReports unauthorized access to temporary object
Environment
Products Affected
TIBCO JasperReports Server versions 7.2.1 and below
TIBCO JasperReports Server versions 7.5.0 and 7.5.1
TIBCO JasperReports Server version 7.8.0
TIBCO JasperReports Server version 7.9.0
TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
TIBCO JasperReports Server for Microsoft Azure version 7.8.0
The following component is affected:
* Rest API
Resolution
Solution
TIBCO has released updated versions of the affected systems which address this issue:
TIBCO JasperReports Server versions 7.2.1 and below update to version 7.2.2 or later
TIBCO JasperReports Server versions 7.5.0 and 7.5.1 update to version 7.5.2 or later
TIBCO JasperReports Server version 7.8.0 update to version 7.8.1 or later
TIBCO JasperReports Server version 7.9.0 update to version 7.9.1 or later
TIBCO JasperReports Server - Community Edition versions 7.8.0 and below update to version 7.8.1 or later
TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below update to version 7.9.1 or later
TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below update to version 7.9.1 or later
TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below update to version 7.9.1 or later
TIBCO JasperReports Server for Microsoft Azure version 7.8.0 update to version 7.9.1 or later