April 13, 2024

Dec 30, 2022Ravie LakshmananPatch Administration

JasperReports Vulnerabilities

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added two-years-old safety flaws impacting TIBCO Software program’s JasperReports product to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.

The issues, tracked as CVE-2018-5430 (CVSS rating: 7.7) and CVE-2018-18809 (CVSS rating: 9.9), had been addressed by TIBCO in April 2018 and March 2019, respectively.

TIBCO JasperReports is a Java-based reporting and knowledge analytics platform for creating, distributing, and managing reviews and dashboards.

CyberSecurity

The primary of the 2 points, CVE-2018-5430, pertains to an information disclosure bug within the server element that might allow an authenticated consumer to achieve read-only entry to arbitrary information, together with key configurations.

JasperReports Vulnerabilities

“The affect consists of the doable read-only entry by authenticated customers to net utility configuration information that include the credentials utilized by the server,” TIBCO famous on the time. “These credentials may then be used to have an effect on exterior methods accessed by the JasperReports Server.”

CVE-2018-18809, then again, is a directory traversal vulnerability within the JasperReports Library that might allow net server customers to entry delicate information on the host, probably making it doable for an attacker to steal credentials and break into different methods.

CISA didn’t disclose any further specifics about how the vulnerabilities are being weaponized in real-world assaults. Federal companies within the U.S. are required to patch their methods by January 19, 2023.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.