TIBCO JasperReports Library directory traversal | CVE-2022-22771
NAME
TIBCO JasperReports Library directory traversal
- Platforms Affected:
TIBCO JasperReports Server 7.9.0
TIBCO JasperReports Server for AWS Marketplace 7.9.0
TIBCO JasperReports Server for ActiveMatrix BPM 7.9.0
TIBCO JasperReports Library 7.9.0
TIBCO JasperReports Library for ActiveMatrix BPM 7.9.0
TIBCO JasperReports Server 7.9.1
TIBCO JasperReports Server for AWS Marketplace 7.9.1
TIBCO JasperReports Server for ActiveMatrix BPM 7.9.1
TIBCO JasperReports Server for Microsoft Azure 7.9.1 - Risk Level:
9.9 - Exploitability:
Unproven - Consequences:
Obtain Information
DESCRIPTION
TIBCO JasperReports Library could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system, including credentials for other systems.
CVSS 3.0 Information
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Refer to TIBCO Security Advisory: March 15, 2022 for patch, upgrade or suggested workaround information. See References.
- Reference Link:
https://www.tibco.com/support/advisories/2022/03/tibco-security-advisory-march-15-2022-tibco-jasperreports-library-2022-22771 - Reference Link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22771
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.