fkie_cve-2018-5429
Vulnerability from fkie_nvd
Published
2018-04-17 18:29
Modified
2024-11-21 04:08
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tibco | jasperreports_server | * | |
| tibco | jasperreports_server | * | |
| tibco | jasperreports_server | * | |
| tibco | jasperreports_server | 6.3.0 | |
| tibco | jasperreports_server | 6.3.2 | |
| tibco | jasperreports_server | 6.3.3 | |
| tibco | jasperreports_server | 6.4.0 | |
| tibco | jasperreports_server | 6.4.2 | |
| tibco | jasperreports_library | * | |
| tibco | jasperreports_library | * | |
| tibco | jasperreports_library | * | |
| tibco | jasperreports_library | 6.3.0 | |
| tibco | jasperreports_library | 6.3.2 | |
| tibco | jasperreports_library | 6.3.3 | |
| tibco | jasperreports_library | 6.4.0 | |
| tibco | jasperreports_library | 6.4.1 | |
| tibco | jasperreports_library | 6.4.2 | |
| tibco | jaspersoft | * | |
| tibco | jaspersoft_reporting_and_analytics | * | |
| tibco | jaspersoft_studio | * | |
| tibco | jaspersoft_studio | * | |
| tibco | jaspersoft_studio | * | |
| tibco | jaspersoft_studio | 6.3.0 | |
| tibco | jaspersoft_studio | 6.3.2 | |
| tibco | jaspersoft_studio | 6.3.3 | |
| tibco | jaspersoft_studio | 6.4.0 | |
| tibco | jaspersoft_studio | 6.4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83D3533B-42CF-400B-A9E2-94302E009201",
"versionEndIncluding": "6.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:*:activematrix_bpm:*:*",
"matchCriteriaId": "F8B7F2D6-580E-490B-83F5-56F76F125BA9",
"versionEndIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:*:*:*:*:community:*:*:*",
"matchCriteriaId": "41D39313-991B-43DD-B830-06BE226E3FF6",
"versionEndIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF00ED7-2B4C-4043-A061-84ADFB785C92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D0B0408C-9F3F-48A7-A8B4-379B90557E95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:6.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D32E717A-31B1-4415-B6B9-E39FAC38E756",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B714B874-89AD-49AD-8B8D-2EEDF6804E1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_server:6.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5A7A9802-61F8-45AC-B5C5-82521DF50B4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0ADDCC84-2AB8-4759-A83C-53E31C2B4C44",
"versionEndIncluding": "6.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:*:activematrix_bpm:*:*",
"matchCriteriaId": "2D6E1EDB-11E7-4F2F-AD02-8CF21C721E83",
"versionEndIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:*:*:*:*:community:*:*:*",
"matchCriteriaId": "7A3B8FD1-6251-474E-8481-BF30ECF52284",
"versionEndIncluding": "6.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BDEEB975-7721-436C-A8EF-62C91A67D5E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A77C998E-10BD-49CE-AA25-57D24DE782B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3C4051E7-D4F9-4285-A7E2-BC0BA45365AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E28FF909-232C-4C5E-981D-BD5438FD0D28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "29FE5644-D4B9-404D-9169-2AAF87721234",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jasperreports_library:6.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "15FC0C65-B16F-402F-B5D9-10F4EE2C06FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tibco:jaspersoft:*:*:*:*:*:aws_with_multi-tenancy:*:*",
"matchCriteriaId": "E45760CC-1126-49FA-B86F-1DBEB379F4D4",
"versionEndIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_reporting_and_analytics:*:*:*:*:*:aws:*:*",
"matchCriteriaId": "9B604288-1622-4FA1-B48B-9F11EB1C3140",
"versionEndIncluding": "6.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9012FB6C-09B5-4E7E-93FA-07EEFD412DFD",
"versionEndIncluding": "6.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:*:activematrix_bpm:*:*",
"matchCriteriaId": "6E46934C-3A07-4478-91D3-2374848B9637",
"versionEndIncluding": "6.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:*:*:*:*:community:*:*:*",
"matchCriteriaId": "B67854F9-91AC-430D-BC18-A804E844B2E6",
"versionEndIncluding": "6.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "40D22C6F-FF80-4154-AC3D-2D27987E7ACC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EEE165BF-269E-4964-8051-1AE06A911851",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "15556DBC-8987-4121-AB6E-F1E70E47CA2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C5D48582-55FC-4D7F-8B01-A649A19A1E9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tibco:jaspersoft_studio:6.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "098D98D0-1C9E-4F04-9F80-2BBA485CA9D7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the report scripting component of TIBCO Software Inc.\u0027s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.\u0027s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2."
},
{
"lang": "es",
"value": "Una vulnerabilidad en el componente de scripting de informes en TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition y TIBCO Jaspersoft Studio for ActiveMatrix BPM, de TIBCO Software Inc., podr\u00eda permitir que informes anal\u00edticos que contengan scripting realicen ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones afectadas incluyen a TIBCO JasperReports Server: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0 y 6.4.2; TIBCO JasperReports Server Community Edition: versiones hasta e incluyendo la 6.4.2; TIBCO JasperReports Server for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2; TIBCO JasperReports Library: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0, 6.4.1 y 6.4.2; TIBCO JasperReports Library Community Edition: versiones hasta e incluyendo la 6.4.3; TIBCO JasperReports Library for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft for AWS with Multi-Tenancy: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft Reporting and Analytics for AWS: versiones hasta e incluyendo la 6.4.2; TIBCO Jaspersoft Studio: versiones hasta e incluyendo la 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0 y 6.4.2; TIBCO Jaspersoft Studio Community Edition: versiones hasta e incluyendo la 6.4.3; TIBCO Jaspersoft Studio for ActiveMatrix BPM: versiones hasta e incluyendo la 6.4.2, de TIBCO Software Inc."
}
],
"id": "CVE-2018-5429",
"lastModified": "2024-11-21T04:08:47.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@tibco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-17T18:29:00.213",
"references": [
{
"source": "security@tibco.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429"
}
],
"sourceIdentifier": "security@tibco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.