"CISA Warns of Active exploitation of JasperReports Vulnerabilities"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting TIBCO Software's JasperReports to its Known Exploited Vulnerabilities (KEV) catalog, revealing evidence of exploitation in the wild. TIBCO patched the vulnerabilities, identified as CVE-2018-5430 with a CVSS score of 7.7 and CVE-2018-18809 with a score of CVSS score of 9.9, in April 2018 and March 2019, respectively. TIBCO JasperReports is a Java-based platform for the creation, distribution, and management of reports and dashboards. The first vulnerability is an information disclosure flaw contained by the server component that might allow an authenticated user to get read-only access to arbitrary files, including key settings. The second flaw is a directory traversal vulnerability in the JasperReports Library that could allow web server users to access sensitive files on the host, thus enabling an attacker to steal credentials and break into other systems. This article continues to discuss the two security flaws found in TIBCO Software's JasperReports product that have been added to CISA's KEV catalog.

THN reports "CISA Warns of Active exploitation of JasperReports Vulnerabilities"