Security Advisory regarding TIBCO JasperReports Library
Article ID: KB0108083
Updated On:
| Products | Versions |
|---|---|
| TIBCO JasperReports | - |
Description
TIBCO JasperReports Library Directory Traversal Vulnerability
Original release date: March 6, 2019
Last revised: --
Source: TIBCO Software Inc.
Description
The component listed above contains a directory-traversal vulnerability that
may theoretically allow web server users to access contents of the host
system.
Impact
The impact of this vulnerability includes the theoretical possibility that
a web server using the provided DefaultWebResourceHandler could expose
details of the host system. The disclosed data could include credentials to
access other systems.
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Original release date: March 6, 2019
Last revised: --
Source: TIBCO Software Inc.
Description
The component listed above contains a directory-traversal vulnerability that
may theoretically allow web server users to access contents of the host
system.
Impact
The impact of this vulnerability includes the theoretical possibility that
a web server using the provided DefaultWebResourceHandler could expose
details of the host system. The disclosed data could include credentials to
access other systems.
CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Issue/Introduction
Security Advisory regarding TIBCO JasperReports Library
Environment
Systems Affected
TIBCO JasperReports Library versions 6.3.4 and below
TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21
TIBCO JasperReports Library version 7.1.0
TIBCO JasperReports Library version 7.2.0
TIBCO JasperReports Library Community Edition versions 6.7.0 and below
TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
TIBCO JasperReports Server versions 6.3.4 and below
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
TIBCO JasperReports Server version 7.1.0
TIBCO JasperReports Server Community Edition versions 6.4.3 and below
TIBCO JasperReports Server Community Edition version 7.1.0
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
The following components are affected:
* default server implementation
Resolution
Solution
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Library versions 6.3.4 and below update to
version 6.3.5 or higher
TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21 update to
version 6.4.22 or higher
TIBCO JasperReports Library version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Library version 7.2.0 update to version 7.2.1 or higher
TIBCO JasperReports Library Community Edition versions 6.7.0 and below
update to version 6.7.1 or higher
TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
update to version 6.4.22 or higher
TIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5
or higher
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
version 6.4.4 or higher
TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Server Community Edition versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
update to version 6.4.4 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO has released updated versions of the affected components which address
these issues.
For each affected system, update to the corresponding software versions:
TIBCO JasperReports Library versions 6.3.4 and below update to
version 6.3.5 or higher
TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21 update to
version 6.4.22 or higher
TIBCO JasperReports Library version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Library version 7.2.0 update to version 7.2.1 or higher
TIBCO JasperReports Library Community Edition versions 6.7.0 and below
update to version 6.7.1 or higher
TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
update to version 6.4.22 or higher
TIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5
or higher
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to
version 6.4.4 or higher
TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Server Community Edition versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
update to version 6.4.4 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
update to version 7.1.1 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
update to version 7.1.1 or higher
Additional Information
Acknowledgments
TIBCO would like to extend its appreciation to Elar Lang of Clarified
Security and Sathish Kumar Balakrishnan of CyberSecurityWorks Pvt Ltd for discovery of this
vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE-2018-18809
TIBCO would like to extend its appreciation to Elar Lang of Clarified
Security and Sathish Kumar Balakrishnan of CyberSecurityWorks Pvt Ltd for discovery of this
vulnerability.
References
http://www.tibco.com/services/support/advisories
CVE-2018-18809
Feedback
Yes
No
Powered by
