The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed a two-year-old security flaw affecting TIBCO Software’s JasperReports product as a known exploited vulnerability, citing evidence of active exploitation. (KEV) added to the catalog.
Defects tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9) were addressed by TIBCO in April 2018 and March 2019, respectively.
TIBCO JasperReports is a Java-based reporting and data analysis platform for creating, distributing and managing reports and dashboards.
The first of the two issues, CVE-2018-5430, is related to an information disclosure bug in a server component that allows authenticated users to gain read-only access to arbitrary files containing key configs.
“This impact includes the possibility of read-only access by authenticated users to web application configuration files containing credentials used by the server,” TIBCO said at the time. “These credentials may be used to influence external systems that the JasperReports server accesses.”
CVE-2018-18809, on the other hand, is a directory traversal vulnerability in the JasperReports library that may allow web server users to access sensitive files on the host, allowing attackers to steal credentials and system can be compromised.
CISA has not disclosed any additional details about how the vulnerability would be weaponized in an actual attack. US federal agencies have until January 19, 2023 to patch their systems.
