CVE-2018-18815 - The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Serv

CVE-2018-18815

Summary

The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

References

Vulnerable Configurations

cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.3:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.3:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*
cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*
cpe:2.3:a:tibco:jasperreports_server:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:community:*:*:*
cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:community:*:*:*
cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*
cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*
cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*
cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*

CVSS

Base:	7.5 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	107346
confirm	https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809 https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815
misc	http://www.tibco.com/services/support/advisories https://www.zerodayinitiative.com/advisories/ZDI-19-305/

Last major update

03-10-2019 - 00:03

Published

07-03-2019 - 22:29

Last modified

03-10-2019 - 00:03