TIBCO JasperReports Library Vulnerability - 20230104001

Overview

The default server implementation of several TIBCO Software Inc.'s products contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.

The impact of this vulnerability includes the theoretical possibility that a web server using the provided DefaultWebResourceHandler could expose details of the host system. The disclosed data could include credentials to access other systems.

What is the vulnerability ?

CVE-2018-18809 - CVSS v3 Base Score: 9.9

What is vulnerable?

The vulnerability exists in the default server implementation on the following products:

• TIBCO JasperReports Library versions 6.3.4 and below
• TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21
• TIBCO JasperReports Library version 7.1.0
• TIBCO JasperReports Library version 7.2.0
• TIBCO JasperReports Library Community Edition versions 6.7.0 and below
• TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below
• TIBCO JasperReports Server versions 6.3.4 and below
• TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3
• TIBCO JasperReports Server version 7.1.0
• TIBCO JasperReports Server Community Edition versions 6.4.3 and below
• TIBCO JasperReports Server Community Edition version 7.1.0
• TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below
• TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below
• TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below

What has been observed ?

CISA has listed this vulnerabilty in their Known Exploited Vulnerabilties catalog.

Recommendation

Due to the report of active exploitation, it is strongly recommended to patch this vulnerability within 2 weeks across all affected platforms as per vendor solution instructions: https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809