Path traversal in JasperSoft products - CVE-2022-22771

 

Path traversal in JasperSoft products - CVE-2022-22771

Published: March 16, 2022


Vulnerability identifier: #VU61397
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-22771
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: TIBCO
JasperSoft
Affected software:
TIBCO JasperReports Library
TIBCO JasperReports Library for ActiveMatrix BPM
TIBCO JasperReports Server
TIBCO JasperReports Server for AWS Marketplace
TIBCO JasperReports Server for ActiveMatrix BPM
TIBCO JasperReports Server for Microsoft Azure

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the Server component. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


How to mitigate CVE-2022-22771

Install update from vendor's website.

Sources