CVE-2018-18809
Summary
| CVE | CVE-2018-18809 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-03-07 22:29:00 UTC |
| Updated | 2023-03-01 18:02:00 UTC |
| Description | The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. |
Risk And Classification
EPSS: 0.939090000 probability, percentile 0.998740000 (date 2026-04-01)
CISA KEV: Listed on 2022-12-29; due 2023-01-19; ransomware use Unknown
Problem Types: CWE-22
CISA Known Exploited Vulnerability
| Vendor | TIBCO |
|---|---|
| Product | JasperReports |
| Name | TIBCO JasperReports Library Directory Traversal Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809; https://nvd.nist.gov/vuln/detail/CVE-2018-18809 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Tibco | Jasperreports Library | 6.3.4 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.1 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.2 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.21 | All | All | All |
| Application | Tibco | Jasperreports Library | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Library | 7.2.0 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.3.4 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.1 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.2 | All | All | All |
| Application | Tibco | Jasperreports Library | 6.4.21 | All | All | All |
| Application | Tibco | Jasperreports Library | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Library | 7.2.0 | All | All | All |
| Application | Tibco | Jasperreports Library | All | All | All | All |
| Application | Tibco | Jasperreports Library | All | All | All | All |
| Application | Tibco | Jasperreports Server | 6.3.4 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.0 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.1 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.2 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.3 | All | All | All |
| Application | Tibco | Jasperreports Server | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Server | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.3.4 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.0 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.1 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.2 | All | All | All |
| Application | Tibco | Jasperreports Server | 6.4.3 | All | All | All |
| Application | Tibco | Jasperreports Server | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Server | 7.1.0 | All | All | All |
| Application | Tibco | Jasperreports Server | All | All | All | All |
| Application | Tibco | Jasperreports Server | All | All | All | All |
| Application | Tibco | Jaspersoft | All | All | All | All |
| Application | Tibco | Jaspersoft Reporting And Analytics | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library - 2018-18809 | TIBCO Software | CONFIRM | www.tibco.com | Vendor Advisory |
| Full Disclosure: CVE-2018-18809 Path traversal in Tibco JasperSoft | FULLDISC | seclists.org | |
| Advisory | TIBCO Software | MISC | www.tibco.com | Vendor Advisory |
| CVE-2018-18809 - Directory Traversal Vulnerability in TIBCO JasperReports Library | MISC | cybersecurityworks.com | |
| Tibco JasperSoft Path Traversal ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE-2018-18809 Path traversal in Tibco JasperSoft - Security | Elar Lang | MISC | security.elarlang.eu | |
| TIBCO JasperReports Server CVE-2018-18809 Directory Traversal Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: TIBCO would like to extend its appreciation to Elar Lang of Clarified Security and Sathish Kumar Balakrishnan from Cyber Security Works Pvt Ltd for discovery of this vulnerability.
Legacy QID Mappings
- 730678 TIBCO JasperReports Library Directory Traversal Vulnerability (Tibco-Security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809)