Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-5429

A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.

Published

2018-04-17T18:29:00.213

Last Modified

2024-11-21T04:08:47.023

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tibco	jasperreports_server	≤ 6.2.4	Yes
Application	tibco	jasperreports_server	≤ 6.4.2	Yes
Application	tibco	jasperreports_server	≤ 6.4.2	Yes
Application	tibco	jasperreports_server	6.3.0	Yes
Application	tibco	jasperreports_server	6.3.2	Yes
Application	tibco	jasperreports_server	6.3.3	Yes
Application	tibco	jasperreports_server	6.4.0	Yes
Application	tibco	jasperreports_server	6.4.2	Yes
Application	tibco	jasperreports_library	≤ 6.2.4	Yes
Application	tibco	jasperreports_library	≤ 6.4.2	Yes
Application	tibco	jasperreports_library	≤ 6.4.3	Yes
Application	tibco	jasperreports_library	6.3.0	Yes
Application	tibco	jasperreports_library	6.3.2	Yes
Application	tibco	jasperreports_library	6.3.3	Yes
Application	tibco	jasperreports_library	6.4.0	Yes
Application	tibco	jasperreports_library	6.4.1	Yes
Application	tibco	jasperreports_library	6.4.2	Yes
Application	tibco	jaspersoft	≤ 6.4.2	Yes
Application	tibco	jaspersoft_reporting_and_analytics	≤ 6.4.2	Yes
Application	tibco	jaspersoft_studio	≤ 6.2.4	Yes
Application	tibco	jaspersoft_studio	≤ 6.4.2	Yes
Application	tibco	jaspersoft_studio	≤ 6.4.3	Yes
Application	tibco	jaspersoft_studio	6.3.0	Yes
Application	tibco	jaspersoft_studio	6.3.2	Yes
Application	tibco	jaspersoft_studio	6.3.3	Yes
Application	tibco	jaspersoft_studio	6.4.0	Yes
Application	tibco	jaspersoft_studio	6.4.2	Yes

References

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 Vendor Advisory ([email protected])
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)