CVE-2018-18809

Name of the Vulnerable Software and Affected Versions TIBCO JasperReports Library versions up to and including 7.2.0 TIBCO JasperReports Library Community Edition versions up to and including 6.7.0 TIBCO JasperReports Library for ActiveMatrix BPM versions up to and including 6.4.21 TIBCO JasperReports Server versions up to and including 7.1.0 TIBCO JasperReports Server Community Edition versions up to and including 7.1.0 TIBCO JasperReports Server for ActiveMatrix BPM versions up to and including 6.4.3 TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to and including 7.1.0 TIBCO Jaspersoft Reporting and Analytics for AWS versions up to and including 7.1.0

Description The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. This issue is related to incorrect restriction of a pathname to a directory with limited access. Exploitation of this vulnerability may allow a remote attacker to disclose protected information.

Recommendations For TIBCO JasperReports Library versions up to and including 7.2.0, update to a version that includes a fix for this vulnerability. For TIBCO JasperReports Library Community Edition versions up to and including 6.7.0, update to a version that includes a fix for this vulnerability. For TIBCO JasperReports Library for ActiveMatrix BPM versions up to and including 6.4.21, update to a version that includes a fix for this vulnerability. For TIBCO JasperReports Server versions up to and including 7.1.0, update to a version that includes a fix for this vulnerability. For TIBCO JasperReports Server Community Edition versions up to and including 7.1.0, update to a version that includes a fix for this vulnerability. For TIBCO JasperReports Server for ActiveMatrix BPM versions up to and including 6.4.3, update to a version that includes a fix for this vulnerability. For TIBCO Jaspersoft for AWS with Multi-Tenancy versions up to and including 7.1.0, update to a version that includes a fix for this vulnerability. For TIBCO Jaspersoft Reporting and Analytics for AWS versions up to and including 7.1.0, update to a version that includes a fix for this vulnerability. As a temporary workaround, consider restricting access to sensitive directories and files on the host system to minimize the risk of exploitation.