CVE-2018-18815 — Incorrect Authorization in Software INC Tibco Jasperreports Server Community Edition

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

9.8CRITICALNVD

CNA10.0

EPSS

0.2%

top 52.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tibco Software INC Tibco Jasperreports Server Community Edition Tibco Software INC Tibco Jasperreports Server FOR Activematrix BPM Tibco Software INC Tibco Jaspersoft FOR AWS With Multi-tenancy +5 more

Timeline

PublishedMar 7

Latest updateMay 13

Description

The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5tibco_software_inc/tibco_jasperreports_server_community_editionunspecified — 7.1.0

▶CVEListV5tibco_software_inc/tibco_jasperreports_server_for_activematrix_bpmunspecified — 6.4.3

▶CVEListV5tibco_software_inc/tibco_jasperreports_server5 versions+4

▶NVDtibco/jasperreports_server6.4.3+6

▶CVEListV5tibco_software_inc/tibco_jaspersoft_for_aws_with_multi-tenancyunspecified — 7.1.0

🔴Vulnerability Details

GHSA

GHSA-x2m2-4jfp-mm86: The REST API component of TIBCO Software Inc↗2022-05-13

▶

CVEList

TIBCO JasperReports Server User Information Disclosure↗2019-03-07

▶