CVE-2018-5430 vulnerability in Tibco Products
Published on April 17, 2018
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
Known Exploited Vulnerability
This TIBCO JasperReports Server Information Disclosure Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.
The following remediation steps are recommended / required by January 19, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2018-5430 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2018-5430 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2018-5430
You can be notified by stack.watch whenever vulnerabilities like CVE-2018-5430 are published in these products:
What versions are vulnerable to CVE-2018-5430?
-
Tibco Jasperreports Server
Up to Version 6.2.4
-
Tibco Jasperreports Server
Version 6.3.0
-
Tibco Jasperreports Server
Version 6.3.2
-
Tibco Jasperreports Server
Version 6.3.3
-
Tibco Jasperreports Server
Version 6.4.0
-
Tibco Jasperreports Server
Version 6.4.2
-
Tibco Jasperreports Server
Up to Version 6.4.2
activematrix_bpm
-
Tibco Jasperreports Server
Up to Version 6.4.2
-
Tibco Jaspersoft
Up to Version 6.4.2
aws_with_multi-tenancy
-
Tibco Jaspersoft Reporting Analytics
Up to Version 6.4.2
aws