CVE-2018-18809

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2019/Sep/17	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/107351	Broken Link Third Party Advisory VDB Entry
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html	Exploit Third Party Advisory
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html	Exploit Third Party Advisory
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809	Vendor Advisory
http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2019/Sep/17	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/107351	Broken Link Third Party Advisory VDB Entry
http://www.tibco.com/services/support/advisories	Vendor Advisory
https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html	Exploit Third Party Advisory
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html	Exploit Third Party Advisory
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tibco:jasperreports_library:::::activematrix_bpm:::*
	cpe:2.3:a:tibco:jasperreports_library:::::community:::*
	cpe:2.3:a:tibco:jasperreports_library:6.3.4:::::::*
	cpe:2.3:a:tibco:jasperreports_library:6.4.1:::::::*
	cpe:2.3:a:tibco:jasperreports_library:6.4.2:::::::*
	cpe:2.3:a:tibco:jasperreports_library:6.4.21:::::::*
	cpe:2.3:a:tibco:jasperreports_library:7.1.0:::::::*
	cpe:2.3:a:tibco:jasperreports_library:7.2.0:::::::*
	cpe:2.3:a:tibco:jasperreports_server::::::activematrix_bpm::*
	cpe:2.3:a:tibco:jasperreports_server:::::community:::*
	cpe:2.3:a:tibco:jasperreports_server:6.3.4:::::::*
	cpe:2.3:a:tibco:jasperreports_server:6.4.0:::::::*
	cpe:2.3:a:tibco:jasperreports_server:6.4.1:::::::*
	cpe:2.3:a:tibco:jasperreports_server:6.4.2:::::::*
	cpe:2.3:a:tibco:jasperreports_server:6.4.3:::::::*
	cpe:2.3:a:tibco:jasperreports_server:7.1.0:::::::*
	cpe:2.3:a:tibco:jasperreports_server:7.1.0::::community:::

Configuration 2 (hide)

OR	cpe:2.3:a:tibco:jaspersoft::::::aws_with_multi-tenancy::*
	cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics::::::aws::*

History

21 Nov 2024, 03:56

Type	Values Removed	Values Added
References	~~() http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html - Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html - Third Party Advisory, VDB Entry
References	~~() http://seclists.org/fulldisclosure/2019/Sep/17 - Mailing List, Third Party Advisory~~	() http://seclists.org/fulldisclosure/2019/Sep/17 - Mailing List, Third Party Advisory
References	~~() http://www.securityfocus.com/bid/107351 - Broken Link, Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/107351 - Broken Link, Third Party Advisory, VDB Entry
References	~~() http://www.tibco.com/services/support/advisories - Vendor Advisory~~	() http://www.tibco.com/services/support/advisories - Vendor Advisory
References	~~() https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html - Exploit, Third Party Advisory~~	() https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html - Exploit, Third Party Advisory
References	~~() https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html - Exploit, Third Party Advisory~~	() https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html - Exploit, Third Party Advisory
References	~~() https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 - Vendor Advisory~~	() https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 - Vendor Advisory

Information

Published : 2019-03-07 22:29

Updated : 2024-11-21 03:56

NVD link : CVE-2018-18809

Mitre link : CVE-2018-18809

CVE.ORG link : CVE-2018-18809

JSON object : View

Products Affected

tibco

jasperreports_library
jaspersoft_reporting_and_analytics
jasperreports_server
jaspersoft

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2018-18809

6.5^/10

4.0^/10

Attach tags to `CVE-2018-18809`