cbcvebase.
CVE-2022-22771
published 2022-03-15

CVE-2022-22771: The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO…

PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.10%
79.3th percentile
The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: version 7.9.0, TIBCO JasperReports Library for ActiveMatrix BPM: version 7.9.0, TIBCO JasperReports Server: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and 7.9.1, and TIBCO JasperReports Server for Microsoft Azure: version 7.9.1.

Affected

12 ranges
VendorProductVersion rangeFixed in
tibcojasperreports_library
tibcojasperreports_server
tibcojasperreports_server
tibco_software_inctibco_jasperreports_library
tibco_software_inctibco_jasperreports_library_for_activematrix_bpm
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server
tibco_software_inctibco_jasperreports_server_for_activematrix_bpm
tibco_software_inctibco_jasperreports_server_for_activematrix_bpm
tibco_software_inctibco_jasperreports_server_for_aws_marketplace
tibco_software_inctibco_jasperreports_server_for_aws_marketplace
tibco_software_inctibco_jasperreports_server_for_microsoft_azure

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.