Path traversal in JasperSoft products - CVE-2022-22771
Published: March 16, 2022
Vulnerability identifier: #VU61397
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-22771
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TIBCO JasperReports Library
TIBCO JasperReports Library for ActiveMatrix BPM
TIBCO JasperReports Server
TIBCO JasperReports Server for AWS Marketplace
TIBCO JasperReports Server for ActiveMatrix BPM
TIBCO JasperReports Server for Microsoft Azure
TIBCO JasperReports Library
TIBCO JasperReports Library for ActiveMatrix BPM
TIBCO JasperReports Server
TIBCO JasperReports Server for AWS Marketplace
TIBCO JasperReports Server for ActiveMatrix BPM
TIBCO JasperReports Server for Microsoft Azure
Software vendor:
TIBCO
JasperSoft
TIBCO
JasperSoft
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the Server component. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.