FKIE_CVE-2018-5429

Vulnerability from fkie_nvd - Published: 2018-04-17 18:29 - Updated: 2024-11-21 04:08
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.
References
security@tibco.comhttps://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429Vendor Advisory
Impacted products
Vendor Product Version
tibco jasperreports_server *
tibco jasperreports_server *
tibco jasperreports_server *
tibco jasperreports_server 6.3.0
tibco jasperreports_server 6.3.2
tibco jasperreports_server 6.3.3
tibco jasperreports_server 6.4.0
tibco jasperreports_server 6.4.2
tibco jasperreports_library *
tibco jasperreports_library *
tibco jasperreports_library *
tibco jasperreports_library 6.3.0
tibco jasperreports_library 6.3.2
tibco jasperreports_library 6.3.3
tibco jasperreports_library 6.4.0
tibco jasperreports_library 6.4.1
tibco jasperreports_library 6.4.2
tibco jaspersoft *
tibco jaspersoft_reporting_and_analytics *
tibco jaspersoft_studio *
tibco jaspersoft_studio *
tibco jaspersoft_studio *
tibco jaspersoft_studio 6.3.0
tibco jaspersoft_studio 6.3.2
tibco jaspersoft_studio 6.3.3
tibco jaspersoft_studio 6.4.0
tibco jaspersoft_studio 6.4.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D3533B-42CF-400B-A9E2-94302E009201",
              "versionEndIncluding": "6.2.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*",
              "matchCriteriaId": "F8B7F2D6-580E-490B-83F5-56F76F125BA9",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "41D39313-991B-43DD-B830-06BE226E3FF6",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8FF00ED7-2B4C-4043-A061-84ADFB785C92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0B0408C-9F3F-48A7-A8B4-379B90557E95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D32E717A-31B1-4415-B6B9-E39FAC38E756",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B714B874-89AD-49AD-8B8D-2EEDF6804E1C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_server:6.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A7A9802-61F8-45AC-B5C5-82521DF50B4F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0ADDCC84-2AB8-4759-A83C-53E31C2B4C44",
              "versionEndIncluding": "6.2.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:*:activematrix_bpm:*:*",
              "matchCriteriaId": "2D6E1EDB-11E7-4F2F-AD02-8CF21C721E83",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "7A3B8FD1-6251-474E-8481-BF30ECF52284",
              "versionEndIncluding": "6.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDEEB975-7721-436C-A8EF-62C91A67D5E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A77C998E-10BD-49CE-AA25-57D24DE782B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C4051E7-D4F9-4285-A7E2-BC0BA45365AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E28FF909-232C-4C5E-981D-BD5438FD0D28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "29FE5644-D4B9-404D-9169-2AAF87721234",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "15FC0C65-B16F-402F-B5D9-10F4EE2C06FC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*",
              "matchCriteriaId": "E45760CC-1126-49FA-B86F-1DBEB379F4D4",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*",
              "matchCriteriaId": "9B604288-1622-4FA1-B48B-9F11EB1C3140",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9012FB6C-09B5-4E7E-93FA-07EEFD412DFD",
              "versionEndIncluding": "6.2.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:*:activematrix_bpm:*:*",
              "matchCriteriaId": "6E46934C-3A07-4478-91D3-2374848B9637",
              "versionEndIncluding": "6.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "B67854F9-91AC-430D-BC18-A804E844B2E6",
              "versionEndIncluding": "6.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "40D22C6F-FF80-4154-AC3D-2D27987E7ACC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEE165BF-269E-4964-8051-1AE06A911851",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "15556DBC-8987-4121-AB6E-F1E70E47CA2C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5D48582-55FC-4D7F-8B01-A649A19A1E9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "098D98D0-1C9E-4F04-9F80-2BBA485CA9D7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the report scripting component of TIBCO Software Inc.\u0027s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.\u0027s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el componente de scripting de informes en TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition y TIBCO Jaspersoft Studio for ActiveMatrix BPM, de TIBCO Software Inc., podr\u00eda permitir que informes anal\u00edticos que contengan scripting realicen ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones afectadas incluyen a TIBCO JasperReports Server: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0 y 6.4.2; TIBCO JasperReports Server Community Edition: versiones hasta e incluyendo la 6.4.2; TIBCO JasperReports Server for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2; TIBCO JasperReports Library: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0, 6.4.1 y 6.4.2; TIBCO JasperReports Library Community Edition: versiones hasta e incluyendo la 6.4.3; TIBCO JasperReports Library for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft for AWS with Multi-Tenancy: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft Reporting and Analytics for AWS: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft Studio: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0 y 6.4.2; TIBCO Jaspersoft Studio Community Edition: versiones hasta e incluyendo la 6.4.3; TIBCO Jaspersoft Studio for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2, de TIBCO Software Inc."
    }
  ],
  "id": "CVE-2018-5429",
  "lastModified": "2024-11-21T04:08:47.023",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security@tibco.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-17T18:29:00.213",
  "references": [
    {
      "source": "security@tibco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429"
    }
  ],
  "sourceIdentifier": "security@tibco.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.