CVE-2018-5430

Warnung

Exploit

EPSS 70.81%
Veröffentlicht 17.04.2018 18:29:00
Zuletzt bearbeitet 12.02.2025 20:44:41
Quelle security@tibco.com
Teams Watchlist Login
Unerledigt Login

The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tibco ≫ Jasperreports Server Version <= 6.2.4

Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 6.4.2

Tibco ≫ Jasperreports Server SwEditioncommunity Version <= 6.4.2

Tibco ≫ Jasperreports Server Version6.3.0

Tibco ≫ Jasperreports Server Version6.3.2

Tibco ≫ Jasperreports Server Version6.3.3

Tibco ≫ Jasperreports Server Version6.4.0

Tibco ≫ Jasperreports Server Version6.4.2

Tibco ≫ Jaspersoft SwPlatformaws_with_multi-tenancy Version <= 6.4.2

Tibco ≫ Jaspersoft Reporting And Analytics SwPlatformaws Version <= 6.4.2

29.12.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

TIBCO JasperReports Server Information Disclosure Vulnerability

Schwachstelle

TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	70.81%	0.987

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security@tibco.com	7.7	3.1	4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/

Third Party Advisory

Exploit

https://www.exploit-db.com/exploits/44623/

Third Party Advisory

Exploit

VDB Entry

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430

Vendor Advisory

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2018-5430

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5430

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5430

EUVD