Lucene search

[email protected]CVE-2017-5532

HistoryNov 17, 2017 - 12:00 a.m.

CVE-2017-5532

2017-11-1700:00:00

CWE-79

[email protected]

web.nvd.nist.gov

tibco

jasperreports

server

xss

security

vulnerability

cross-site scripting

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%

JSON

A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below.

Affected configurations

NVD

Node

tibcojasperreports_serverRange≤6.2.3

tibcojasperreports_serverMatch6.3.0

tibcojasperreports_serverMatch6.3.1

tibcojasperreports_serverMatch6.3.2

tibcojasperreports_serverMatch6.4.0

Node

tibcojasperreports_serverRange≤6.4.0community

Node

tibcojasperreports_serverRange≤6.4.0activematrix_bpm

Node

tibcojasperreports_libraryRange≤6.2.3

tibcojasperreports_libraryMatch6.3.0

tibcojasperreports_libraryMatch6.3.1

tibcojasperreports_libraryMatch6.3.2

tibcojasperreports_libraryMatch6.4.0

tibcojasperreports_libraryMatch6.4.1

Node

tibcojasperreports_libraryRange≤6.4.1activematrix_bpm

Node

tibcojaspersoftRange≤6.4.0aws_with_multi-tenancy

Node

tibcojaspersoft_reporting_and_analyticsRange≤6.4.0aws

Node

tibcojaspersoft_studioRange≤6.2.3

tibcojaspersoft_studioMatch6.3.0

tibcojaspersoft_studioMatch6.3.1

tibcojaspersoft_studioMatch6.3.2

tibcojaspersoft_studioMatch6.4.0

Node

tibcojaspersoft_studioRange≤6.4.0activematrix_bpm

CPENameOperatorVersion
tibco:jasperreports_servertibco jasperreports serverle6.2.3
tibco:jasperreports_servertibco jasperreports servereq6.3.0
tibco:jasperreports_servertibco jasperreports servereq6.3.1
tibco:jasperreports_servertibco jasperreports servereq6.3.2
tibco:jasperreports_servertibco jasperreports servereq6.4.0

CPE	Name	Operator	Version
tibco:jasperreports_server	tibco jasperreports server	le	6.2.3
tibco:jasperreports_server	tibco jasperreports server	eq	6.3.0
tibco:jasperreports_server	tibco jasperreports server	eq	6.3.1
tibco:jasperreports_server	tibco jasperreports server	eq	6.3.2
tibco:jasperreports_server	tibco jasperreports server	eq	6.4.0

CNA Affected

[
  {
    "product": "TIBCO JasperReports Server",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.2.3 and below"
      },
      {
        "status": "affected",
        "version": "6.3.0"
      },
      {
        "status": "affected",
        "version": "6.3.1"
      },
      {
        "status": "affected",
        "version": "6.3.2"
      },
      {
        "status": "affected",
        "version": "6.4.0"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server Community Edition",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0 and below"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0 and below"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Library",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.2.3 and below"
      },
      {
        "status": "affected",
        "version": "6.3.0"
      },
      {
        "status": "affected",
        "version": "6.3.1"
      },
      {
        "status": "affected",
        "version": "6.3.2"
      },
      {
        "status": "affected",
        "version": "6.4.0"
      },
      {
        "status": "affected",
        "version": "6.4.1"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Library for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.1 and below"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0 and below"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft Reporting and Analytics for AWS",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0 and below"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft Studio",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.2.3 and below"
      },
      {
        "status": "affected",
        "version": "6.3.0"
      },
      {
        "status": "affected",
        "version": "6.3.1"
      },
      {
        "status": "affected",
        "version": "6.3.2"
      },
      {
        "status": "affected",
        "version": "6.4.0"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft Studio for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "6.4.0 and below"
      }
    ]
  }
]

References

www.securityfocus.com/bid/101873

www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%

JSON

Related for CVE-2017-5532

cvelist1 debiancve1 nvd1 openvas1 ubuntucve1 prion1