The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
has
added
two-years-old
security
flaws
impacting
TIBCO
Software’s
JasperReports
product
to
its
Known
Exploited
Vulnerabilities
(KEV)
catalog,
citing
evidence
of
active
exploitation.
The
flaws,
tracked
as
CVE-2018-5430
(CVSS
score:
7.7)
and
CVE-2018-18809
(CVSS
score:
9.9),
were
addressed
by
TIBCO
in
April
2018
and
March
2019,
respectively.
TIBCO
JasperReports
is
a
Java-based
reporting
and
data
analytics
platform
for
creating,
distributing,
and
managing
reports
and
dashboards.
The
first
of
the
two
issues,
CVE-2018-5430,
relates
to
an
information
disclosure
bug
in
the
server
component
that
could
enable
an
authenticated
user
to
gain
read-only
access
to
arbitrary
files,
including
key
configurations.
“The
impact
includes
the
possible
read-only
access
by
authenticated
users
to
web
application
configuration
files
that
contain
the
credentials
used
by
the
server,”
TIBCO
noted
at
the
time. “Those
credentials
could
then
be
used
to
affect
external
systems
accessed
by
the
JasperReports
Server.”
CVE-2018-18809,
on
the
other
hand,
is
a
directory
traversal
vulnerability
in
the
JasperReports
Library
that
could
permit
web
server
users
to
access
sensitive
files
on
the
host,
potentially
making
it
possible
for
an
attacker
to
steal
credentials
and
break
into
other
systems.
CISA
did
not
disclose
any
additional
specifics
about
how
the
vulnerabilities
are
being
weaponized
in
real-world
attacks.
Federal
agencies
in
the
U.S.
are
required
to
patch
their
systems
by
January
19,
2023.
