QID 730678

Date Published: 2023-01-03

QID 730678: TIBCO JasperReports Library Directory Traversal Vulnerability (Tibco-Security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809)

The JasperReports Server components listed above contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.

Affected Products:
TIBCO JasperReports Library versions 6.3.4 and below
TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21
TIBCO JasperReports Library version 7.1.0
TIBCO JasperReports Library version 7.2.0
TIBCO JasperReports Library Community Edition versions 6.7.0 and below
TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
TIBCO JasperReports Server versions 6.3.4 and below
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
TIBCO JasperReports Server version 7.1.0
TIBCO JasperReports Server Community Edition versions 6.4.3 and below
TIBCO JasperReports Server Community Edition version 7.1.0
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below

QID Detection Logic:(unauthenticated)
This QID sends a GET request on the target to extract data of js.jdbc.properties file.

The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server.

CVSS V3 rated as High - 6.5 severity.

CVSS V2 rated as Medium - 4 severity.

Solution

Customers are advised to follow the tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 for remediation instructions.

Vendor References

tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 - www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809

CVEs related to QID 730678

CVE-2018-18809 |

Software Advisories

Advisory ID	Software	Component	Link
tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809			www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].