CVE-2020-9409

The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
tibcoCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
tibcojasperreports_server
𝑥
≤ 7.1.1
tibcojasperreports_server
𝑥
≤ 7.1.1
tibcojasperreports_server
𝑥
≤ 7.1.1
oracleretail_order_broker
15.0
oracleretail_order_broker
16.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.tibco.com/services/support/advisories
https://www.oracle.com/security-alerts/cpuoct2020.html
http://www.tibco.com/services/support/advisories
https://www.oracle.com/security-alerts/cpuoct2020.html