Vulnerability identifier: #VU57326
Vulnerability risk: Medium
CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
TIBCO JasperReports Server
Web applications /
Other software
TIBCO JasperReports Server - Community Edition
Server applications /
Other server solutions
TIBCO JasperReports Server - Developer Edition
Server applications /
Other server solutions
TIBCO JasperReports Server for AWS Marketplace
Server applications /
Other server solutions
TIBCO JasperReports Server for ActiveMatrix BPM
Server applications /
Other server solutions
TIBCO JasperReports Server for Microsoft Azure
Server applications /
Other server solutions
Vendor:
JasperSoft
TIBCO
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the Scheduler Connection component. A remote authenticated attacker can bypass implemented security restrictions and obtain FTP server passwords for other users of the affected system.Mitigation
Install updates from vendor's website.
Vulnerable software versions
TIBCO JasperReports Server: 4.7 - 7.9.0
TIBCO JasperReports Server - Community Edition: 7.8.0
TIBCO JasperReports Server - Developer Edition: 7.9.0
TIBCO JasperReports Server for AWS Marketplace: 7.9.0
TIBCO JasperReports Server for ActiveMatrix BPM: 7.9.0
TIBCO JasperReports Server for Microsoft Azure: 7.8.0
External links
http://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2021/10/tibco-security-advisory-october-12-2021-tibco-jasperreports-server-2021-35495
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.