CVE-2018-5430
published 2018-04-17CVE-2018-5430: The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-01-19
Exploited in the wild
EPSS
48.75%
98.7th percentile
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tibco | jasperreports_server | <= 6.2.4 | — |
| tibco | jasperreports_server | <= 6.4.2 | — |
| tibco | jasperreports_server | — | — |
| tibco | jasperreports_server | — | — |
| tibco | jasperreports_server | — | — |
| tibco | jasperreports_server | — | — |
| tibco | jasperreports_server | — | — |
| tibco | jaspersoft | <= 6.4.2 | — |
| tibco | jaspersoft_reporting_and_analytics | <= 6.4.2 | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | — | — |
| tibco_software_inc | tibco_jasperreports_server | unspecified – 6.2.4 | — |
| tibco_software_inc | tibco_jasperreports_server_community_edition | unspecified – 6.4.2 | — |
| tibco_software_inc | tibco_jasperreports_server_for_activematrix_bpm | unspecified – 6.4.2 | — |
| tibco_software_inc | tibco_jaspersoft_for_aws_with_multi-tenancy | unspecified – 6.4.2 | — |
| tibco_software_inc | tibco_jaspersoft_reporting_and_analytics_for_aws | unspecified – 6.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flow.html?_flowId=sampleFlow&"; pcre:"/^page=\.\.+/RUi"; reference:cve,2018-5430; reference:url,rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/; classtype:web-application-attack; sid:2043229; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_01_05, cve CVE_2018_5430, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_05;)
- →Path traversal via the unsanitized 'page' parameter in Spring web flow requests; look for GET requests to /flow.html?_flowId=sampleFlow& where the 'page' parameter value begins with '../' ↗
- →Monitor for authenticated GET requests to /flow.html with _flowId=sampleFlow and a page parameter containing directory traversal sequences (../) — the Emerging Threats PCRE pattern is: /^page=\.\..+/RUi
- →Post-intrusion LFI scenario: attacker uploads a JSP webshell disguised without a .jsp extension, then executes it via the path traversal LFI vector using the semicolon bypass technique ↗
- ·The vulnerability requires authentication; exploitation is limited to authenticated users, but any privilege level is sufficient to exploit the path traversal ↗
- ·The 'page' parameter traversal can expose key configuration files such as js.jdbc.properties, which may contain database credentials usable for lateral movement ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.7HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-782f-h7v4-m7wc: The Spring web flows of TIBCO Software Inc
ghsa_unreviewed·2022-05-13
CVE-2018-5430 [HIGH] CWE-200 GHSA-782f-h7v4-m7wc: The Spring web flows of TIBCO Software Inc
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and i
OSV
CVE-2018-5430: The Spring web flows of TIBCO Software Inc
osv·2018-04-17·CVSS 8.8
CVE-2018-5430 [HIGH] CVE-2018-5430: The Spring web flows of TIBCO Software Inc
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and i
VulnCheck
TIBCO JasperReports Server Information Disclosure Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-5430 [HIGH] CWE-22 TIBCO JasperReports Server Information Disclosure Vulnerability
TIBCO JasperReports Server Information Disclosure Vulnerability
TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.
Affected: TIBCO JasperReports
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.greynoise.io/hubfs/resources/GreyNoise-How-Resurgent-Vulnerabilities-Jeopardize-Organizational-Security-Report.pdf
Remediation Due: 2023-01-19
CISA
TIBCO JasperReports Server Information Disclosure Vulnerability
cisa·2022-12-29·CVSS 8.8
CVE-2018-5430 [HIGH] CWE-22 TIBCO JasperReports Server Information Disclosure Vulnerability
Vulnerability: TIBCO JasperReports Server Information Disclosure Vulnerability
Affected: TIBCO JasperReports
TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files.
Required Action: Apply updates per vendor instructions.
Notes: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430;https://nvd.nist.gov/vuln/detail/CVE-2018-5430
Remediation Due Date: 2023-01-19
Suricata
ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)
suricata·2023-01-05·CVSS 8.8
CVE-2018-5430 [HIGH] ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)
ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flow.html?_flowId=sampleFlow&"; pcre:"/^page=\.\..+/RUi"; reference:cve,2018-5430; reference:url,rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/; classtype:web-application-attack; sid:2043229; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_01_05, cve CVE_2018_5430, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signat
Bugzilla
CVE-2018-5430 jasperreports: read-only access to the contents of the web application for authenticated user
bugzilla·2018-04-23·CVSS 8.8
CVE-2018-5430 [HIGH] CVE-2018-5430 jasperreports: read-only access to the contents of the web application for authenticated user
CVE-2018-5430 jasperreports: read-only access to the contents of the web application for authenticated user
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatr
Bugzilla
CVE-2018-5429 CVE-2018-5430 CVE-2018-5431 jasperreports: various flaws [fedora-all]
bugzilla·2018-04-23·CVSS 8.8
CVE-2018-5429 [HIGH] CVE-2018-5429 CVE-2018-5430 CVE-2018-5431 jasperreports: various flaws [fedora-all]
CVE-2018-5429 CVE-2018-5430 CVE-2018-5431 jasperreports: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/https://www.exploit-db.com/exploits/44623/https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/https://www.exploit-db.com/exploits/44623/https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-5430
2018-04-17
Published
2022-12-29
Added to CISA KEV
Exploited in the wild