Security Advisory for TIBCO JasperReport Server
Article ID: KB0108111
Updated On:
| Products | Versions |
|---|---|
| TIBCO JasperReports Server | 6.2.4 and below, 6.3.0, 6.3.2, 6.3.3, 6.4.0, 6.4.2, Community Edition 6.4.2 and below |
Description
Description
The JasperReports Server components listed above contain a vulnerability
which may allow any authenticated user read-only access to the contents of
the web application, including key configuration files.
Impact
The impact includes the possible read-only access by authenticated users to
web application configuration files that contain the credentials used by the
server. Those credentials could then be used to affect external systems
accessed by the JasperReports Server.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
The JasperReports Server components listed above contain a vulnerability
which may allow any authenticated user read-only access to the contents of
the web application, including key configuration files.
Impact
The impact includes the possible read-only access by authenticated users to
web application configuration files that contain the credentials used by the
server. Those credentials could then be used to affect external systems
accessed by the JasperReports Server.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Issue/Introduction
Security Advisory for TIBCO JasperReport Server
Environment
Systems Affected
TIBCO JasperReports Server versions 6.2.4 and below
TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3
TIBCO JasperReports Server versions 6.4.0 and 6.4.2
TIBCO JasperReports Server Community Edition versions 6.4.2 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below
The following components are affected:
* Spring web flows
Resolution
Solution
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Server versions 6.2.4 and below update to
version 6.2.5 or higher
TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3 update to
version 6.3.4 or higher
TIBCO JasperReports Server versions 6.4.0 and 6.4.2 update to
version 6.4.3 or higher
TIBCO JasperReports Server Community Edition versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Server versions 6.2.4 and below update to
version 6.2.5 or higher
TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3 update to
version 6.3.4 or higher
TIBCO JasperReports Server versions 6.4.0 and 6.4.2 update to
version 6.4.3 or higher
TIBCO JasperReports Server Community Edition versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
update to version 6.4.3 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below
update to version 6.4.3 or higher
Additional Information
Acknowledgments
TIBCO would like to extend its appreciation to Hector Monsegur at Rhino
Security Labs for discovery of this vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE: CVE-2018-5430
TIBCO would like to extend its appreciation to Hector Monsegur at Rhino
Security Labs for discovery of this vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE: CVE-2018-5430
Feedback
Yes
No
Powered by
