Vulnerability identifier: #VU57326

Vulnerability risk: Medium

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35495

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TIBCO JasperReports Server
Web applications / Other software
TIBCO JasperReports Server - Community Edition
Server applications / Other server solutions
TIBCO JasperReports Server - Developer Edition
Server applications / Other server solutions
TIBCO JasperReports Server for AWS Marketplace
Server applications / Other server solutions
TIBCO JasperReports Server for ActiveMatrix BPM
Server applications / Other server solutions
TIBCO JasperReports Server for Microsoft Azure
Server applications / Other server solutions

Vendor: JasperSoft
TIBCO

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the Scheduler Connection component. A remote authenticated attacker can bypass implemented security restrictions and obtain FTP server passwords for other users of the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

TIBCO JasperReports Server: 4.7 - 7.9.0

TIBCO JasperReports Server - Community Edition: 7.8.0

TIBCO JasperReports Server - Developer Edition: 7.9.0

TIBCO JasperReports Server for AWS Marketplace: 7.9.0

TIBCO JasperReports Server for ActiveMatrix BPM: 7.9.0

TIBCO JasperReports Server for Microsoft Azure: 7.8.0

---

External links
http://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-12-2021-tibco-jasperreports-server-2021-35495

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.