The US CISA has added TIBCO Software’s JasperReports vulnerabilities, to its Known Exploited Vulnerabilities catalog.
TIBCO JasperReports is an open-source Java reporting tool for creating and managing reports and dashboards and it has vulnerabilities tracked as CVE-2018-5430 with a CVSS score of 7.7 and CVE-2018-18809 with a CVSS score of 9.9.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Vulnerability Details as follows
- CVE-2018-5430 – TIBCO JasperReports Server contains a vulnerability that may allow any authenticated user read-only access to the contents of the web application, including key configuration files.
- CVE-2018-18809 – TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access the contents of the host system.
US Federal agencies must address these vulnerabilities in their systems by January 19, 2023.