CVE-2018-18809

🗓️ 07 Mar 2019 22:00:00Reported by tibcoType

cve🔗 web.nvd.nist.gov👁 627 Views🌐 WEB

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library contains a directory-traversal vulnerability

Reporter	Title	Published	Views	Family All 20
0day.today	Tibco JasperSoft Path Traversal Vulnerability	10 Sep 201900:00	–	zdt
IBM Security Bulletins	Security Bulletin: TIBCO JasperReports Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2020-9410, CVE-2018-18809)	6 Oct 202114:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809)	16 Jun 202119:25	–	ibm
ATTACKERKB	TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of the server-side application library for creating reports from TIBCO JasperReports Library, JasperReports Library for ActiveMatrix BPM, JasperReports Server, JasperReports Server for AWS Marketplace, and JasperReports Server for ActiveMatrix BPM arises from an incorrect limitation on the path to the restricted directory. This allows attackers to disclose sensitive information that should be protected.	1 Mar 202300:00	–	bdu_fstec
Circl	CVE-2018-18809	8 Mar 201900:21	–	circl
CISA KEV Catalog	TIBCO JasperReports Library Directory Traversal Vulnerability	29 Dec 202200:00	–	cisa_kev
CNVD	Multiple TIBCO Software Products Path Traversal Vulnerabilities	10 Sep 201900:00	–	cnvd
Cvelist	CVE-2018-18809 TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201922:00	–	cvelist
Dsquare	TIBCO JasperSoft Path Traversal	28 Oct 202000:00	–	dsquare

NVD

Node

tibco jasperreports_libraryRange≤6.4.21activematrix_bpm

tibco jasperreports_libraryRange≤6.7.0community

tibco jasperreports_libraryMatch7.1.0

tibco jasperreports_libraryMatch7.2.0

tibco jasperreports_serverRange≤6.4.3activematrix_bpm

tibco jasperreports_serverRange≤6.4.3community

tibco jasperreports_serverMatch7.1.0

Node

tibco jaspersoftRange≤7.1.0aws_with_multi-tenancy

tibco jaspersoft_reporting_and_analyticsRange≤7.1.0aws

[
  {
    "product": "TIBCO JasperReports Library",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.3.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.4.1"
      },
      {
        "status": "affected",
        "version": "6.4.2"
      },
      {
        "status": "affected",
        "version": "6.4.21"
      },
      {
        "status": "affected",
        "version": "7.1.0"
      },
      {
        "status": "affected",
        "version": "7.2.0"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Library Community Edition",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.7.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Library for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.21",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.3.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.4.0"
      },
      {
        "status": "affected",
        "version": "6.4.1"
      },
      {
        "status": "affected",
        "version": "6.4.2"
      },
      {
        "status": "affected",
        "version": "6.4.3"
      },
      {
        "status": "affected",
        "version": "7.1.0"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server Community Edition",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "7.1.0"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "7.1.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft Reporting and Analytics for AWS",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "7.1.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
tibco	www.tibco.com/services/support/advisories
packetstormsecurity	www.packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html
security	www.security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html
seclists	www.seclists.org/fulldisclosure/2019/Sep/17
tibco	www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809
cybersecurityworks	www.cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html
securityfocus	www.securityfocus.com/bid/107351
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
resource	query param	/jasperserver-pro/reportresource/reportresource/	Path traversal via reportresource endpoint allowing reading of files using the resource parameter (e.g., net/sf/jasperreports/../../../../)	CWE-22

17 Jun 2026 01:47Current

7.4High risk

Vulners AI Score7.4

CVSS 24

CVSS 3.16.5

CVSS 39.9

EPSS0.79836

SSVC