CVE-2018-18809
published 2019-03-07CVE-2018-18809: The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports…
PriorityP183medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-01-19
Exploited in the wild
EPSS
79.53%
99.6th percentile
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tibco | jasperreports_library | <= 6.4.21 | — |
| tibco | jasperreports_library | <= 6.7.0 | — |
| tibco | jasperreports_library | — | — |
| tibco | jasperreports_library | — | — |
| tibco | jasperreports_server | <= 6.4.3 | — |
| tibco | jasperreports_server | — | — |
| tibco | jaspersoft | <= 7.1.0 | — |
| tibco | jaspersoft_reporting_and_analytics | <= 7.1.0 | — |
| tibco_software_inc | tibco_jasperreports_library | — | — |
| tibco_software_inc | tibco_jasperreports_library | — | — |
| tibco_software_inc | tibco_jasperreports_library | — | — |
| tibco_software_inc | tibco_jasperreports_library | — | — |
| tibco_software_inc | tibco_jasperreports_library | — | — |
| tibco_software_inc | tibco_jasperreports_library | unspecified – 6.3.4 | — |
| tibco_software_inc | tibco_jasperreports_library_community_edition | unspecified – 6.7.0 | — |
| tibco_software_inc | tibco_jasperreports_library_for_activematrix_bpm | unspecified – 6.4.21 | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | unspecified – 6.3.4 | — |
| tibco_software_inc | tibco_jasperreports_server_community_edition | — | — |
| tibco_software_inc | tibco_jasperreports_server_community_edition | unspecified – 6.4.3 | — |
| tibco_software_inc | tibco_jasperreports_server_for_activematrix_bpm | unspecified – 6.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties↗
path/reportresource/reportresource/?
filenamejs.jdbc.properties
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reportresource/reportresource/?"; pcre:"/^resource=net\/sf\/jasperreports\/\.\..+/RUi"; reference:cve,2018-18809; reference:url,security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html; classtype:web-application-attack; sid:2043228; rev:2; metadata:affected_product Web_Server_Applications, created_at 2023_01_05, cve CVE_2018_18809, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Match HTTP response body for both 'metadata.jdbc.driverClassName' AND 'metadata.hibernate.dialect' to confirm successful directory traversal and credential file exfiltration.
- →Detect traversal attempts via PCRE on the URI query string: resource parameter starting with 'net/sf/jasperreports/' followed by '../' sequences.
- →Shodan/FOFA fingerprint for exposed JasperReports Server instances: search for 'jasperserver-pro' in HTML body.
- →The exploit targets the GET method exclusively; filter on HTTP GET requests to the /reportresource/reportresource/ endpoint.
- ·The traversal payload uses 'net/sf/jasperreports/' as a mandatory prefix before the '../' sequences; the depth of traversal (number of '../') may vary depending on the server's installation path.
- ·The vulnerability requires an authenticated (low-privilege) user (PR:L per CVSS), meaning unauthenticated scanning will not trigger the vulnerability.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2qh3-cx4w-cf3x: The default server implementation of TIBCO Software Inc
ghsa_unreviewed·2022-05-13
CVE-2018-18809 [MEDIUM] CWE-22 GHSA-2qh3-cx4w-cf3x: The default server implementation of TIBCO Software Inc
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for Acti
VulnCheck
TIBCO JasperReports Library Directory Traversal Vulnerability
vulncheck·2018·CVSS 6.5
CVE-2018-18809 [MEDIUM] CWE-22 TIBCO JasperReports Library Directory Traversal Vulnerability
TIBCO JasperReports Library Directory Traversal Vulnerability
TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.
Affected: TIBCO JasperReports
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2023-01-19
CISA
TIBCO JasperReports Library Directory Traversal Vulnerability
cisa·2022-12-29·CVSS 6.5
CVE-2018-18809 [MEDIUM] CWE-22 TIBCO JasperReports Library Directory Traversal Vulnerability
Vulnerability: TIBCO JasperReports Library Directory Traversal Vulnerability
Affected: TIBCO JasperReports
TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.
Required Action: Apply updates per vendor instructions.
Notes: https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809; https://nvd.nist.gov/vuln/detail/CVE-2018-18809
Remediation Due Date: 2023-01-19
Suricata
ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)
suricata·2023-01-05·CVSS 6.5
CVE-2018-18809 [MEDIUM] ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)
ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reportresource/reportresource/?"; pcre:"/^resource=net\/sf\/jasperreports\/\.\..+/RUi"; reference:cve,2018-18809; reference:url,security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html; classtype:web-application-attack; sid:2043228; rev:2; metadata:affected_product Web_Server_Applications, created_at 2023_01_05, cve CVE_2018_18809, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Descript
Nuclei
TIBCO JasperReports Library - Directory Traversal
nuclei·CVSS 6.5
CVE-2018-18809 [MEDIUM] TIBCO JasperReports Library - Directory Traversal
TIBCO JasperReports Library - Directory Traversal
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.
Template:
id: CVE-2018-18809
info:
name: TIBCO JasperReports Library - Directory Traversal
author: DhiyaneshDK
severity: medium
description: |
The default server implementation of TIBCO Software Inc.'s TIBCO Ja
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.htmlhttp://seclists.org/fulldisclosure/2019/Sep/17http://www.securityfocus.com/bid/107351http://www.tibco.com/services/support/advisorieshttps://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.htmlhttps://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.htmlhttps://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.htmlhttp://seclists.org/fulldisclosure/2019/Sep/17http://www.securityfocus.com/bid/107351http://www.tibco.com/services/support/advisorieshttps://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.htmlhttps://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.htmlhttps://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18809
2019-03-07
Published
2022-12-29
Added to CISA KEV
Exploited in the wild