cbcvebase.
CVE-2018-5430
published 2018-04-17

CVE-2018-5430: The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-01-19
Exploited in the wild
EPSS
48.75%
98.7th percentile
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Affected

19 ranges
VendorProductVersion rangeFixed in
tibcojasperreports_server<= 6.2.4
tibcojasperreports_server<= 6.4.2
tibcojasperreports_server
tibcojasperreports_server
tibcojasperreports_server
tibcojasperreports_server
tibcojasperreports_server
tibcojaspersoft<= 6.4.2
tibcojaspersoft_reporting_and_analytics<= 6.4.2
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_serverunspecified – 6.2.4
tibco_software_inctibco_jasperreports_server_community_editionunspecified – 6.4.2
tibco_software_inctibco_jasperreports_server_for_activematrix_bpmunspecified – 6.4.2
tibco_software_inctibco_jaspersoft_for_aws_with_multi-tenancyunspecified – 6.4.2
tibco_software_inctibco_jaspersoft_reporting_and_analytics_for_awsunspecified – 6.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../js.jdbc.properties;
url/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration
url/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/file;
path/WEB-INF/jsp/modules/administer/adminImport.jsp
filenamejs.jdbc.properties
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flow.html?_flowId=sampleFlow&"; pcre:"/^page=\.\.+/RUi"; reference:cve,2018-5430; reference:url,rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/; classtype:web-application-attack; sid:2043229; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_01_05, cve CVE_2018_5430, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_01_05;)
  • Path traversal via the unsanitized 'page' parameter in Spring web flow requests; look for GET requests to /flow.html?_flowId=sampleFlow& where the 'page' parameter value begins with '../'
  • Monitor for authenticated GET requests to /flow.html with _flowId=sampleFlow and a page parameter containing directory traversal sequences (../) — the Emerging Threats PCRE pattern is: /^page=\.\..+/RUi
  • Post-intrusion LFI scenario: attacker uploads a JSP webshell disguised without a .jsp extension, then executes it via the path traversal LFI vector using the semicolon bypass technique
  • ·The vulnerability requires authentication; exploitation is limited to authenticated users, but any privilege level is sufficient to exploit the path traversal
  • ·The 'page' parameter traversal can expose key configuration files such as js.jdbc.properties, which may contain database credentials usable for lateral movement

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.7HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.