CVE-2018-5430 TIBCO JasperReports Server Information Disclosure Vulnerability

🗓️ 17 Apr 2018 18:00:00Reported by tibcoType

TIBCO JasperReports Server Information Disclosure Vulnerability CVE-2018-543

Reporter	Title	Published	Views	Family All 21
0day.today	JasperReports - Authenticated File Read Vulnerability	15 May 201800:00	–	zdt
ATTACKERKB	TIBCO JasperReports Server Information Disclosure Vulnerability	17 Apr 201800:00	–	attackerkb
BDU FSTEC	The vulnerability in applications for creating reports using TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS arises due to an incorrect path name limitation in the restricted directory. This allows attackers to disclose sensitive information.	7 Mar 202300:00	–	bdu_fstec
Circl	CVE-2018-5430	14 Jun 202321:10	–	circl
CISA KEV Catalog	TIBCO JasperReports Server Information Disclosure Vulnerability	29 Dec 202200:00	–	cisa_kev
CNVD	Multiple TIBCO Products Spring web flows Component Information Disclosure Vulnerability	19 Apr 201800:00	–	cnvd
CVE	CVE-2018-5430	17 Apr 201818:00	–	cve
Debian CVE	CVE-2018-5430	17 Apr 201818:00	–	debiancve
NVD	CVE-2018-5430	17 Apr 201818:29	–	nvd
OSV	CVE-2018-5430	17 Apr 201818:29	–	osv

[
  {
    "product": "TIBCO JasperReports Server",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.2.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.3.0"
      },
      {
        "status": "affected",
        "version": "6.3.2"
      },
      {
        "status": "affected",
        "version": "6.3.3"
      },
      {
        "status": "affected",
        "version": "6.4.0"
      },
      {
        "status": "affected",
        "version": "6.4.2"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server Community Edition",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO JasperReports Server for ActiveMatrix BPM",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "TIBCO Jaspersoft Reporting and Analytics for AWS",
    "vendor": "TIBCO Software Inc.",
    "versions": [
      {
        "lessThanOrEqual": "6.4.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
rhinosecuritylabs	www.rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/
exploit-db	www.exploit-db.com/exploits/44623/
tibco	www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430

16 May 2018 09:57Current

8.5High risk

Vulners AI Score8.5

CVSS 37.7

EPSS0.41417