Hector Monsegur

**Name of the Vulnerable Software and Affected Versions** TIBCO JasperReports Server versions up to and including 6.4.2 TIBCO JasperReports Server Community Edition versions up to and including 6.4.2 TIBCO JasperReports Server for ActiveMatrix BPM versions up to and including 6.4.2 TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to and including 6.4.2 TIBCO Jaspersoft Reporting and Analytics for AWS versions up to and including 6.4.2 **Description** The vulnerability in the Spring web flows of the affected TIBCO products may allow any authenticated user read-only access to the contents of the web application, including key configuration files. This issue exists due to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to disclose protected information. **Recommendations** For TIBCO JasperReports Server versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue. For TIBCO JasperReports Server Community Edition versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue. For TIBCO JasperReports Server for ActiveMatrix BPM versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue. For TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue. For TIBCO Jaspersoft Reporting and Analytics for AWS versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue.