DATABASE RESOURCES PRICING ABOUT US

{"id": "ZDI-19-256", "vendorId": null, "type": "zdi", "bulletinFamily": "info", "title": "Jaspersoft JasperReports Server ResourceForwardingServlet URI Improper Access Control Vulnerability", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Jaspersoft JasperReports Server. Authentication is not required to exploit this vulnerability. The specific flaw exists in the doGet method of the ResourceForwardingServlet. The issue results from the lack of proper filtering of URLs. An attacker can leverage this in conjunction with other vulnerabilities to bypass authentication on the system.", "published": "2019-03-06T00:00:00", "modified": "2019-03-06T00:00:00", "epss": [{"cve": "CVE-2018-18815", "epss": 0.01182, "percentile": 0.83038, "modified": "2023-05-27"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-256/", "reporter": "Steven Seeley (mr_me) of Source Incite", "references": ["https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815"], "cvelist": ["CVE-2018-18815"], "immutableFields": [], "lastseen": "2023-05-27T16:07:51", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-18815"]}, {"type": "zdi", "idList": ["ZDI-19-305"]}], "rev": 4}, "score": {"value": 2.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-18815"]}, {"type": "zdi", "idList": ["ZDI-19-305"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-18815", "epss": 0.01182, "percentile": 0.82978, "modified": "2023-05-06"}], "vulnersScore": 2.2}, "_state": {"dependencies": 1685206663, "score": 1685203842, "epss": 0}, "_internal": {"score_hash": "40fac1423c8510b16a7d3f9fb0a4f7f7"}}

{"cve": [{"lastseen": "2023-05-27T14:43:14", "description": "The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-07T22:29:00", "type": "cve", "title": "CVE-2018-18815", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-18815"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:tibco:jasperreports_server:6.4.0", "cpe:/a:tibco:jaspersoft:7.1.0", "cpe:/a:tibco:jasperreports_server:6.4.2", "cpe:/a:tibco:jasperreports_server:6.4.3", "cpe:/a:tibco:jasperreports_server:6.4.1", "cpe:/a:tibco:jasperreports_server:7.1.0", "cpe:/a:tibco:jaspersoft_reporting_and_analytics:7.1.0"], "id": "CVE-2018-18815", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18815", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tibco:jasperreports_server:6.4.3:*:*:*:*:activematrix_bpm:*:*", "cpe:2.3:a:tibco:jasperreports_server:6.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:tibco:jasperreports_server:6.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:7.1.0:*:*:*:*:aws:*:*", "cpe:2.3:a:tibco:jasperreports_server:6.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:tibco:jasperreports_server:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tibco:jaspersoft:7.1.0:*:*:*:*:aws_with_multi-tenancy:*:*", "cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:tibco:jasperreports_server:7.1.0:*:*:*:community:*:*:*"]}], "zdi": [{"lastseen": "2023-05-27T16:07:32", "description": "This vulnerability allows the decryption of the passwords on vulnerable installations of Jaspersoft JasperReports Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within encryption of user passwords in the DiagnosticDataCipherer class. A hard-coded cryptographic key is used which can allow the reversal of the encryption process. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to bypass authentication on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-02T00:00:00", "type": "zdi", "title": "Jaspersoft JasperReports Server DiagnosticDataCipherer Hard-coded Cryptographic Key Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-18815"], "modified": "2019-04-02T00:00:00", "id": "ZDI-19-305", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-305/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}