← back
CVE-2018-18815

TIBCO JasperReports Server User Information Disclosure

CVSS 10 CRITICALEPSS 3.1%
In short

The REST API in TIBCO JasperReports Server allows attackers to access user information without authentication by bypassing security checks. This means sensitive data stored in the system could be exposed to anyone on the network.

Technical detail

An unauthenticated attacker can bypass authorization controls in the REST API component, allowing direct access to protected resources and user information without valid credentials. The vulnerability affects multiple TIBCO JasperReports Server versions (6.4.0–6.4.3 and 7.1.0) and related products, resulting in complete confidentiality breach.

Summary generated and translated by AI from the official description.
The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
TIBCO Software Inc. · TIBCO JasperReports ServerTIBCO Software Inc. · TIBCO JasperReports Server Community EditionTIBCO Software Inc. · TIBCO JasperReports Server for ActiveMatrix BPMTIBCO Software Inc. · TIBCO Jaspersoft for AWS with Multi-TenancyTIBCO Software Inc. · TIBCO Jaspersoft Reporting and Analytics for AWS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815https://www.zerodayinitiative.com/advisories/ZDI-19-305/http://www.securityfocus.com/bid/107346http://www.tibco.com/services/support/advisories