← Back

CVE-2018-5430

nvd nist
Published: Apr 17, 2018Modified: Nov 3, 2025CISA KEV

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Affected (10)

Tibco
3 products
Jasperreports Server
Jaspersoft
Jaspersoft Reporting And Analytics
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Tibco
Jasperreports Server
Up to 6.2.4
Jasperreports Server
Up to 6.4.2
Jasperreports Server
Up to 6.4.2
Jasperreports Server
Version 6.3.0
Jasperreports Server
Version 6.3.2
Jasperreports Server
Version 6.3.3
Jasperreports Server
Version 6.4.0
Jasperreports Server
Version 6.4.2
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Jaspersoft
Up to 6.4.2
Jaspersoft Reporting And Analytics
Up to 6.4.2

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (7)

Source: security@tibco.com
ExploitThird Party Advisory
Source: security@tibco.com
ExploitThird Party AdvisoryVDB Entry
Source: security@tibco.com
Broken LinkVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.