CVE-2018-5430

Warning

Exploit

EPSS 70.81%
Published 17.04.2018 18:29:00
Last modified 12.02.2025 20:44:41
Source security@tibco.com
Teams watchlist Login
Open Login

The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Affected products Warnungen 1 Metrics 4 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Tibco ≫ Jasperreports Server Version <= 6.2.4

Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 6.4.2

Tibco ≫ Jasperreports Server SwEditioncommunity Version <= 6.4.2

Tibco ≫ Jasperreports Server Version6.3.0

Tibco ≫ Jasperreports Server Version6.3.2

Tibco ≫ Jasperreports Server Version6.3.3

Tibco ≫ Jasperreports Server Version6.4.0

Tibco ≫ Jasperreports Server Version6.4.2

Tibco ≫ Jaspersoft SwPlatformaws_with_multi-tenancy Version <= 6.4.2

Tibco ≫ Jaspersoft Reporting And Analytics SwPlatformaws Version <= 6.4.2

29.12.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

TIBCO JasperReports Server Information Disclosure Vulnerability

Vulnerability

TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	70.81%	0.987

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security@tibco.com	7.7	3.1	4	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/

Third Party Advisory

Exploit

https://www.exploit-db.com/exploits/44623/

Third Party Advisory

Exploit

VDB Entry

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430

Vendor Advisory

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2018-5430

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5430

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5430

EUVD