ClickCease CISA warns of TIBCO software’s JasperReports vulnerabilities

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

CISA warns of TIBCO software’s JasperReports vulnerabilities

Obanla Opeyemi

January 11, 2023 - TuxCare expert team

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two-year-old security flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), affecting the TIBCO Software JasperReports product, to its list of Known Exploited Vulnerabilities, citing evidence of ongoing exploitation (KEV).

The first of the two flaws, CVE-2018-5430, is a server component information disclosure flaw that could grant a logged-in user read-only access to any number of files, including critical configurations. The impact includes the possibility of authenticated users having read-only access to web application configuration files containing the server’s credentials. According to a Tibco advisory published at the time, those credentials could then be used to affect external systems accessed by the JasperReports Server.

It can also refer to a server-side information disclosure bug that allows an authenticated user to read arbitrary files. The vulnerability grants any authenticated user read-only access to the web application’s contents, including key configuration files.

While the other flaw, CVE-2018-18809 is a directory traversal flaw in IBM products that could allow web server users to access private files on the host, potentially allowing an attacker to steal credentials and gain access to other systems. A directory-traversal vulnerability in the TIBCO JasperReports Library could allow web server users to access the host system’s contents.

While no public reports of malicious exploitation of the two vulnerabilities appear to exist, CISA only adds flaws to its ‘Must Patch’ list if it has reliable evidence of exploitation in the wild. Both vulnerabilities have technical details and proof-of-concept (PoC) exploits that are publicly available. CISA withheld any further information on how the vulnerabilities are being used as weapons in actual attacks, and federal agencies in the United States must patch their systems by January 19, 2023.

The JasperReports is a Java-based reporting and data analytics platform used for creating, distributing, and managing reports and dashboards.

The sources for this piece include an article in SecurityAffairs.

Summary
CISA warns of TIBCO software’s JasperReports vulnerabilities
Article Name
CISA warns of TIBCO software’s JasperReports vulnerabilities
Description
CISA has added two-year-old security flaws affecting the TIBCO Software JasperReports product, to its list of Known Exploited Vulnerabilities.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023