CVE-2018-5429

EUVD-2018-17199
A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
tibcoCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
tibcojasperreports_server
𝑥
≤ 6.2.4
tibcojasperreports_server
𝑥
≤ 6.4.2
tibcojasperreports_server
𝑥
≤ 6.4.2
tibcojasperreports_server
6.3.0
tibcojasperreports_server
6.3.2
tibcojasperreports_server
6.3.3
tibcojasperreports_server
6.4.0
tibcojasperreports_server
6.4.2
tibcojasperreports_library
𝑥
≤ 6.2.4
tibcojasperreports_library
𝑥
≤ 6.4.2
tibcojasperreports_library
𝑥
≤ 6.4.3
tibcojasperreports_library
6.3.0
tibcojasperreports_library
6.3.2
tibcojasperreports_library
6.3.3
tibcojasperreports_library
6.4.0
tibcojasperreports_library
6.4.1
tibcojasperreports_library
6.4.2
tibcojaspersoft
𝑥
≤ 6.4.2
tibcojaspersoft_reporting_and_analytics
𝑥
≤ 6.4.2
tibcojaspersoft_studio
𝑥
≤ 6.2.4
tibcojaspersoft_studio
𝑥
≤ 6.4.2
tibcojaspersoft_studio
𝑥
≤ 6.4.3
tibcojaspersoft_studio
6.3.0
tibcojaspersoft_studio
6.3.2
tibcojaspersoft_studio
6.3.3
tibcojaspersoft_studio
6.4.0
tibcojaspersoft_studio
6.4.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jasperreports
bionic
needs-triage
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
References
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429