← back
CVE-2018-5430

TIBCO JasperReports Server Information Disclosure Vulnerability

CVSS 7.7 HIGHEPSS 48.8%● KEVCWE-200
In short

An authenticated user can read files they shouldn't have access to in TIBCO JasperReports Server, including sensitive configuration files. This exposes confidential system settings to anyone with a login account.

Technical detail

A Spring web flows vulnerability allows authenticated users to bypass path restrictions and read arbitrary files on the JasperReports Server, including configuration files containing database credentials and system secrets. The attack requires valid credentials but no elevated privileges, resulting in unauthorized information disclosure affecting multiple TIBCO product variants.

Summary generated and translated by AI from the official description.
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
TIBCO Software Inc. · TIBCO JasperReports ServerTIBCO Software Inc. · TIBCO JasperReports Server Community EditionTIBCO Software Inc. · TIBCO JasperReports Server for ActiveMatrix BPMTIBCO Software Inc. · TIBCO Jaspersoft for AWS with Multi-TenancyTIBCO Software Inc. · TIBCO Jaspersoft Reporting and Analytics for AWS
public PoCs found2
exploitdbwww.exploit-db.com/exploits/44623unverifiedcve_referencewww.exploit-db.com/exploits/44623/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-5430https://www.exploit-db.com/exploits/44623/https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430