10
CVE-2020-9409
- EPSS 3.14%
- Veröffentlicht 20.05.2020 13:15:10
- Zuletzt bearbeitet 21.11.2024 05:40:35
- Quelle security@tibco.com
- CVE-Watchlists
- Unerledigt
LoginTIBCO JasperReports Server Fails To Enforce Access Restrictions
The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tibco ≫ Jasperreports Server SwPlatform- Version <= 7.1.1
Tibco ≫ Jasperreports Server SwPlatformactivematrix_bpm Version <= 7.1.1
Tibco ≫ Jasperreports Server SwPlatformaws_marketplace Version <= 7.1.1
Oracle ≫ Retail Order Broker Version15.0
Oracle ≫ Retail Order Broker Version16.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.14% | 0.868 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 10 | 10 | 10 |
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
| security@tibco.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-276 Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.