cbcvebase.
CVE-2018-18809
published 2019-03-07

CVE-2018-18809: The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports…

PriorityP183medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-01-19
Exploited in the wild
EPSS
79.53%
99.6th percentile
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
tibcojasperreports_library<= 6.4.21
tibcojasperreports_library<= 6.7.0
tibcojasperreports_library
tibcojasperreports_library
tibcojasperreports_server<= 6.4.3
tibcojasperreports_server
tibcojaspersoft<= 7.1.0
tibcojaspersoft_reporting_and_analytics<= 7.1.0
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_libraryunspecified – 6.3.4
tibco_software_inctibco_jasperreports_library_community_editionunspecified – 6.7.0
tibco_software_inctibco_jasperreports_library_for_activematrix_bpmunspecified – 6.4.21
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_serverunspecified – 6.3.4
tibco_software_inctibco_jasperreports_server_community_edition
tibco_software_inctibco_jasperreports_server_community_editionunspecified – 6.4.3
tibco_software_inctibco_jasperreports_server_for_activematrix_bpmunspecified – 6.4.3

Detection & IOCsextracted from sources · hover to see the quote

url/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties
path/reportresource/reportresource/?
filenamejs.jdbc.properties
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reportresource/reportresource/?"; pcre:"/^resource=net\/sf\/jasperreports\/\.\..+/RUi"; reference:cve,2018-18809; reference:url,security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html; classtype:web-application-attack; sid:2043228; rev:2; metadata:affected_product Web_Server_Applications, created_at 2023_01_05, cve CVE_2018_18809, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Match HTTP response body for both 'metadata.jdbc.driverClassName' AND 'metadata.hibernate.dialect' to confirm successful directory traversal and credential file exfiltration.
  • Detect traversal attempts via PCRE on the URI query string: resource parameter starting with 'net/sf/jasperreports/' followed by '../' sequences.
  • Shodan/FOFA fingerprint for exposed JasperReports Server instances: search for 'jasperserver-pro' in HTML body.
  • The exploit targets the GET method exclusively; filter on HTTP GET requests to the /reportresource/reportresource/ endpoint.
  • ·The traversal payload uses 'net/sf/jasperreports/' as a mandatory prefix before the '../' sequences; the depth of traversal (number of '../') may vary depending on the server's installation path.
  • ·The vulnerability requires an authenticated (low-privilege) user (PR:L per CVSS), meaning unauthenticated scanning will not trigger the vulnerability.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.