QID 730689

Date Published: 2023-01-18

QID 730689: TIBCO JasperReports Server Information Disclosure Vulnerability

The JasperReports Server components listed above contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.

Affected Products:
TIBCO JasperReports Server versions 6.2.4 and below
TIBCO JasperReports Server versions 6.3.0, 6.3.2, and 6.3.3
TIBCO JasperReports Server versions 6.4.0 and 6.4.2
TIBCO JasperReports Server Community Edition versions 6.4.2 and below
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.2 and below
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.2 and below
TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.2 and below

QID Detection Logic:(unauthenticated)
It checks for vulnerable versions of TIBCO JasperReports Server.

The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server.

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as Medium - 4 severity.
    • Solution
    Customers are advised to follow the tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 for remediation instructions.
    Vendor References

    CVEs related to QID 730689

    CVE-2018-5430 |
    Software Advisories
    Advisory ID Software Component Link
    tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 URL Logo www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].