The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Added A two-year-old security flaw affecting known and exploited vulnerabilities in TIBCO Software’s JasperReports product (KEV) catalog, citing evidence of active exploitation.
defects tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), addressed by TIBCO in April 2018 and March 2019, respectively.
Tibuco jasper report A Java-based reporting and data analysis platform for creating, distributing, and managing reports and dashboards.
The first of the two issues, CVE-2018-5430, is Information leak bug A server component that allows authenticated users to obtain read-only access to any file containing key configurations.
“This impact includes the possibility of read-only access by authenticated users to web application configuration files containing credentials used by the server,” TIBCO said at the time. “These credentials may be used to influence external systems accessed by the JasperReports server.”
On the other hand, CVE-2018-18809 is Directory Traversal Vulnerability The JasperReports library could allow a web server user to access sensitive files on the host, allowing an attacker to steal credentials and compromise other systems.
CISA has not disclosed any additional details about how the vulnerability would be weaponized in an actual attack. US federal agencies have until January 19, 2023 to patch their systems.