CVE-2018-18809 vulnerability in Tibco Products
Published on March 7, 2019
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
Known Exploited Vulnerability
This TIBCO JasperReports Library Directory Traversal Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.
The following remediation steps are recommended / required by January 19, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2018-18809 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2018-18809 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2018-18809
You can be notified by stack.watch whenever vulnerabilities like CVE-2018-18809 are published in these products:
What versions are vulnerable to CVE-2018-18809?
- Tibco Jasperreports Server Version 6.4.0
- Tibco Jasperreports Library Version 6.4.1
- Tibco Jasperreports Server Version 6.4.2
- Tibco Jasperreports Library Version 6.4.2
- Tibco Jasperreports Server Up to Version 6.4.3 activematrix_bpm
- Tibco Jasperreports Server Version 6.4.1
- Tibco Jasperreports Server Version 6.4.3
- Tibco Jasperreports Server Version 7.1.0
- Tibco Jasperreports Server Version 7.1.0
- Tibco Jasperreports Server Version 6.3.4
- Tibco Jasperreports Server Up to Version 6.4.3
- Tibco Jasperreports Library Up to Version 6.7.0
- Tibco Jasperreports Library Version 6.3.4
- Tibco Jasperreports Library Version 6.4.21
- Tibco Jasperreports Library Version 7.1.0
- Tibco Jasperreports Library Version 7.2.0
- Tibco Jasperreports Library Up to Version 6.4.21
- Tibco Jaspersoft Reporting Analytics Up to Version 7.1.0 aws
- Tibco Jaspersoft Up to Version 7.1.0 aws_with_multi-tenancy