Security Advisory Regarding TIBCO JasperReports

Security Advisory Regarding TIBCO JasperReports

book

Article ID: KB0108005

calendar_today

Updated On:

Products Versions
TIBCO JasperReports Server 7.2.1 and below, 7.5.0 and 7.5.1, 7.8.0, 7.9.0

Description

TIBCO JasperReports unauthorized access to temporary object

  Original release date: October 12, 2021
  Last revised: ---
  Source: TIBCO Software Inc.

Description

  The components listed above contain a race condition that allows a low
  privileged authenticated attacker via the REST API to obtain read access to
  temporary objects created by other users on the affected system.


Impact

  Successful execution of this vulnerability results in the attacker gaining
  unauthorized read access to the data of other users on the affected system.

  CVSS v3 Base Score: 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

Issue/Introduction

TIBCO JasperReports unauthorized access to temporary object

Environment

Products Affected TIBCO JasperReports Server versions 7.2.1 and below TIBCO JasperReports Server versions 7.5.0 and 7.5.1 TIBCO JasperReports Server version 7.8.0 TIBCO JasperReports Server version 7.9.0 TIBCO JasperReports Server - Community Edition versions 7.8.0 and below TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below TIBCO JasperReports Server for Microsoft Azure version 7.8.0 The following component is affected: * Rest API

Resolution

Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO JasperReports Server versions 7.2.1 and below update to version 7.2.2
    or later

  TIBCO JasperReports Server versions 7.5.0 and 7.5.1 update to version 7.5.2
    or later

  TIBCO JasperReports Server version 7.8.0 update to version 7.8.1 or later

  TIBCO JasperReports Server version 7.9.0 update to version 7.9.1 or later

  TIBCO JasperReports Server - Community Edition versions 7.8.0 and below
    update to version 7.8.1 or later

  TIBCO JasperReports Server - Developer Edition versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for AWS Marketplace versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for ActiveMatrix BPM versions 7.9.0 and below
    update to version 7.9.1 or later

  TIBCO JasperReports Server for Microsoft Azure version 7.8.0 update to
    version 7.9.1 or later
 

Additional Information

  https://www.tibco.com/services/support/advisories
  CVE-2021-35494