cnvd - cnvd-2018-15506

CNVD-2018-15506

Vulnerability from cnvd - Published: 2018-08-16

Title

多款TIBCO产品存在多个HTML注入漏洞

Description

TIBCO Jaspersoft Studio是一款报表工具，是美国TIBCO软件公司的产品。多款TIBCO产品存在多个HTML注入漏洞，该漏洞源于未充分验证用户输入。攻击者可以在受影响应用程序环境中执行任意HTML和脚本代码，窃取基于cookie认证证书并控制网页向用户呈现的内容。

Severity

低

Patch Name

多款TIBCO产品存在多个HTML注入漏洞的补丁

Patch Description

TIBCO Jaspersoft Studio是一款报表工具，是美国TIBCO软件公司的产品。多款TIBCO产品存在多个HTML注入漏洞，该漏洞源于未充分验证用户输入。攻击者可以在受影响应用程序环境中执行任意HTML和脚本代码，窃取基于cookie认证证书并控制网页向用户呈现的内容。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532

Reference

http://www.securityfocus.com/bid/101873 https://nvd.nist.gov/vuln/detail/CVE-2017-5532

Impacted products

Name
['TIBCO JasperReports Server 6.3.0', 'TIBCO JasperReports Server 6.3.2', 'TIBCO JasperReports Library 6.3.0', 'TIBCO JasperReports Library 6.3.2', 'TIBCO JasperReports Library 6.4.0', 'TIBCO JasperReports Library 6.4.1', 'TIBCO Jaspersoft Studio 6.3.0', 'TIBCO Jaspersoft Studio 6.3.2', 'TIBCO Jaspersoft Studio 6.4.0', 'TIBCO JasperReports Server Community Edition 6.4.0', 'TIBCO JasperReports Server <=6.2.3', 'TIBCO JasperReports Server 6.3.1', 'TIBCO JasperReports Server Community Edition <=6.4.0', 'TIBCO JasperReports Server for ActiveMatrix BPM <=6.4.0', 'TIBCO JasperReports Library <=6.2.3', 'TIBCO JasperReports Library 6.3.1', 'TIBCO JasperReports Library for ActiveMatrix BPM <=6.4.1', 'TIBCO Jaspersoft for AWS with Multi-Tenancy <=6.4.0', 'TIBCO Jaspersoft Reporting and Analytics for AWS <=6.4.0', 'TIBCO Jaspersoft Studio <=6.2.3', 'TIBCO Jaspersoft Studio 6.3.1', 'TIBCO Jaspersoft Studio for ActiveMatrix BPM <=6.4.0']

Name

['TIBCO JasperReports Server 6.3.0', 'TIBCO JasperReports Server 6.3.2', 'TIBCO JasperReports Library 6.3.0', 'TIBCO JasperReports Library 6.3.2', 'TIBCO JasperReports Library 6.4.0', 'TIBCO JasperReports Library 6.4.1', 'TIBCO Jaspersoft Studio 6.3.0', 'TIBCO Jaspersoft Studio 6.3.2', 'TIBCO Jaspersoft Studio 6.4.0', 'TIBCO JasperReports Server Community Edition 6.4.0', 'TIBCO JasperReports Server <=6.2.3', 'TIBCO JasperReports Server 6.3.1', 'TIBCO JasperReports Server Community Edition <=6.4.0', 'TIBCO JasperReports Server for ActiveMatrix BPM <=6.4.0', 'TIBCO JasperReports Library <=6.2.3', 'TIBCO JasperReports Library 6.3.1', 'TIBCO JasperReports Library for ActiveMatrix BPM <=6.4.1', 'TIBCO Jaspersoft for AWS with Multi-Tenancy <=6.4.0', 'TIBCO Jaspersoft Reporting and Analytics for AWS <=6.4.0', 'TIBCO Jaspersoft Studio <=6.2.3', 'TIBCO Jaspersoft Studio 6.3.1', 'TIBCO Jaspersoft Studio for ActiveMatrix BPM <=6.4.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "101873"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-5532",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5532"
    }
  },
  "description": "TIBCO Jaspersoft Studio\u662f\u4e00\u6b3e\u62a5\u8868\u5de5\u5177\uff0c\u662f\u7f8e\u56fdTIBCO\u8f6f\u4ef6\u516c\u53f8\u7684\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eTIBCO\u4ea7\u54c1\u5b58\u5728\u591a\u4e2aHTML\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u73af\u5883\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\uff0c\u7a83\u53d6\u57fa\u4e8ecookie\u8ba4\u8bc1\u8bc1\u4e66\u5e76\u63a7\u5236\u7f51\u9875\u5411\u7528\u6237\u5448\u73b0\u7684\u5185\u5bb9\u3002",
  "discovererName": "TIBCO",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-15506",
  "openTime": "2018-08-16",
  "patchDescription": "TIBCO Jaspersoft Studio\u662f\u4e00\u6b3e\u62a5\u8868\u5de5\u5177\uff0c\u662f\u7f8e\u56fdTIBCO\u8f6f\u4ef6\u516c\u53f8\u7684\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eTIBCO\u4ea7\u54c1\u5b58\u5728\u591a\u4e2aHTML\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u73af\u5883\u4e2d\u6267\u884c\u4efb\u610fHTML\u548c\u811a\u672c\u4ee3\u7801\uff0c\u7a83\u53d6\u57fa\u4e8ecookie\u8ba4\u8bc1\u8bc1\u4e66\u5e76\u63a7\u5236\u7f51\u9875\u5411\u7528\u6237\u5448\u73b0\u7684\u5185\u5bb9\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eTIBCO\u4ea7\u54c1\u5b58\u5728\u591a\u4e2aHTML\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TIBCO JasperReports Server  6.3.0",
      "TIBCO JasperReports Server 6.3.2",
      "TIBCO JasperReports Library 6.3.0",
      "TIBCO JasperReports Library 6.3.2",
      "TIBCO JasperReports Library 6.4.0",
      "TIBCO JasperReports Library 6.4.1",
      "TIBCO Jaspersoft Studio 6.3.0",
      "TIBCO Jaspersoft Studio 6.3.2",
      "TIBCO Jaspersoft Studio 6.4.0",
      "TIBCO JasperReports Server Community Edition 6.4.0",
      "TIBCO JasperReports Server \u003c=6.2.3",
      "TIBCO JasperReports Server 6.3.1",
      "TIBCO JasperReports Server Community Edition \u003c=6.4.0",
      "TIBCO JasperReports Server for ActiveMatrix BPM \u003c=6.4.0",
      "TIBCO JasperReports Library \u003c=6.2.3",
      "TIBCO JasperReports Library 6.3.1",
      "TIBCO JasperReports Library for ActiveMatrix BPM \u003c=6.4.1",
      "TIBCO Jaspersoft for AWS with Multi-Tenancy \u003c=6.4.0",
      "TIBCO Jaspersoft Reporting and Analytics for AWS \u003c=6.4.0",
      "TIBCO Jaspersoft Studio \u003c=6.2.3",
      "TIBCO Jaspersoft Studio 6.3.1",
      "TIBCO Jaspersoft Studio for ActiveMatrix BPM \u003c=6.4.0"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/101873\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-5532",
  "serverity": "\u4f4e",
  "submitTime": "2018-05-29",
  "title": "\u591a\u6b3eTIBCO\u4ea7\u54c1\u5b58\u5728\u591a\u4e2aHTML\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2017-5532 (GCVE-0-2017-5532)

Vulnerability from cvelistv5 – Published: 2017-11-15 21:00 – Updated: 2024-09-16 20:48

Summary

A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE

The impact of this vulnerability includes the possibility that a malicious user can gain access to a more privileged account.

Assigner

tibco

References

URL

Tags

	https://www.tibco.com/support/advisories/2017/11/…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/101873	vdb-entryx_refsource_BID

Impacted products

Vendor

Product

Version

TIBCO Software Inc.

TIBCO JasperReports Server

Affected: 6.2.3 and below
Affected: 6.3.0
Affected: 6.3.1
Affected: 6.3.2
Affected: 6.4.0

TIBCO Software Inc.	TIBCO JasperReports Server Community Edition	Affected: 6.4.0 and below
TIBCO Software Inc.	TIBCO JasperReports Server for ActiveMatrix BPM	Affected: 6.4.0 and below
TIBCO Software Inc.	TIBCO JasperReports Library	Affected: 6.2.3 and below Affected: 6.3.0 Affected: 6.3.1 Affected: 6.3.2 Affected: 6.4.0 Affected: 6.4.1
TIBCO Software Inc.	TIBCO JasperReports Library for ActiveMatrix BPM	Affected: 6.4.1 and below
TIBCO Software Inc.	TIBCO Jaspersoft for AWS with Multi-Tenancy	Affected: 6.4.0 and below
TIBCO Software Inc.	TIBCO Jaspersoft Reporting and Analytics for AWS	Affected: 6.4.0 and below
TIBCO Software Inc.	TIBCO Jaspersoft Studio	Affected: 6.2.3 and below Affected: 6.3.0 Affected: 6.3.1 Affected: 6.3.2 Affected: 6.4.0
TIBCO Software Inc.	TIBCO Jaspersoft Studio for ActiveMatrix BPM	Affected: 6.4.0 and below

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:04:15.302Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532"
          },
          {
            "name": "101873",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101873"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TIBCO JasperReports Server",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.2.3 and below"
            },
            {
              "status": "affected",
              "version": "6.3.0"
            },
            {
              "status": "affected",
              "version": "6.3.1"
            },
            {
              "status": "affected",
              "version": "6.3.2"
            },
            {
              "status": "affected",
              "version": "6.4.0"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Server Community Edition",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0 and below"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Server for ActiveMatrix BPM",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0 and below"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Library",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.2.3 and below"
            },
            {
              "status": "affected",
              "version": "6.3.0"
            },
            {
              "status": "affected",
              "version": "6.3.1"
            },
            {
              "status": "affected",
              "version": "6.3.2"
            },
            {
              "status": "affected",
              "version": "6.4.0"
            },
            {
              "status": "affected",
              "version": "6.4.1"
            }
          ]
        },
        {
          "product": "TIBCO JasperReports Library for ActiveMatrix BPM",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.1 and below"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0 and below"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft Reporting and Analytics for AWS",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0 and below"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft Studio",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.2.3 and below"
            },
            {
              "status": "affected",
              "version": "6.3.0"
            },
            {
              "status": "affected",
              "version": "6.3.1"
            },
            {
              "status": "affected",
              "version": "6.3.2"
            },
            {
              "status": "affected",
              "version": "6.4.0"
            }
          ]
        },
        {
          "product": "TIBCO Jaspersoft Studio for ActiveMatrix BPM",
          "vendor": "TIBCO Software Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0 and below"
            }
          ]
        }
      ],
      "datePublic": "2017-11-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "The impact of this vulnerability includes the possibility that a malicious user can gain access to a more privileged account.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-18T10:57:01",
        "orgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
        "shortName": "tibco"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532"
        },
        {
          "name": "101873",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101873"
        }
      ],
      "title": "TIBCO JasperReports persistent cross site scripting",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@tibco.com",
          "DATE_PUBLIC": "2017-11-17T17:00:00.000Z",
          "ID": "CVE-2017-5532",
          "STATE": "PUBLIC",
          "TITLE": "TIBCO JasperReports persistent cross site scripting"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TIBCO JasperReports Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.2.3 and below"
                          },
                          {
                            "version_value": "6.3.0"
                          },
                          {
                            "version_value": "6.3.1"
                          },
                          {
                            "version_value": "6.3.2"
                          },
                          {
                            "version_value": "6.4.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Server Community Edition",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Server for ActiveMatrix BPM",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Library",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.2.3 and below"
                          },
                          {
                            "version_value": "6.3.0"
                          },
                          {
                            "version_value": "6.3.1"
                          },
                          {
                            "version_value": "6.3.2"
                          },
                          {
                            "version_value": "6.4.0"
                          },
                          {
                            "version_value": "6.4.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO JasperReports Library for ActiveMatrix BPM",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.1 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft for AWS with Multi-Tenancy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft Reporting and Analytics for AWS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0 and below"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft Studio",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.2.3 and below"
                          },
                          {
                            "version_value": "6.3.0"
                          },
                          {
                            "version_value": "6.3.1"
                          },
                          {
                            "version_value": "6.3.2"
                          },
                          {
                            "version_value": "6.4.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TIBCO Jaspersoft Studio for ActiveMatrix BPM",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0 and below"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "TIBCO Software Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "The impact of this vulnerability includes the possibility that a malicious user can gain access to a more privileged account."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532",
              "refsource": "CONFIRM",
              "url": "https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532"
            },
            {
              "name": "101873",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101873"
            }
          ]
        },
        "solution": "TIBCO has released updated versions of the affected components which address these issues.\n\nFor each affected system, update to the corresponding software versions:\n\n  TIBCO JasperReports Server versions 6.2.X update to version 6.2.4 or higher\n  TIBCO JasperReports Server versions 6.3.X update to version 6.3.3 or higher\n  TIBCO JasperReports Server version 6.4.0 update to version 6.4.2 or higher\n\n  TIBCO JasperReports Server Community Edition versions 6.4.0 and below update to version 6.4.2 or higher\n\n  TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.0 and below update to version 6.4.2 or higher\n\n  TIBCO JasperReports Library versions 6.2.X update to version 6.2.4 or higher\n  TIBCO JasperReports Library versions 6.3.X update to version 6.3.3 or higher\n  TIBCO JasperReports Library versions 6.4.X update to version 6.4.2 or higher\n\n  TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.X update to version 6.4.2\n\n  TIBCO Jaspersoft for AWS with Multi-Tenancy versions 6.4.0 and below update to version 6.4.2 or higher\n  \n  TIBCO Jaspersoft Reporting and Analytics for AWS versions 6.4.0 and below update to version 6.4.2 or higher\n\n  TIBCO Jaspersoft Studio versions 6.2.X update to version 6.2.4\n  TIBCO Jaspersoft Studio versions 6.3.X update to version 6.3.3\n  TIBCO Jaspersoft Studio version 6.4.0 update to version 6.4.2\n   \n  TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 update to version 6.4.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4f830c72-39e4-45f6-a99f-78cc01ae04db",
    "assignerShortName": "tibco",
    "cveId": "CVE-2017-5532",
    "datePublished": "2017-11-15T21:00:00Z",
    "dateReserved": "2017-01-19T00:00:00",
    "dateUpdated": "2024-09-16T20:48:07.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-15506

CVE-2017-5532 (GCVE-0-2017-5532)

Tags

Sightings

Nomenclature