The U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of ongoing exploitation, has added two-year-old security weaknesses affecting the JasperReports product from TIBCO Software to its list of Known Exploited Vulnerabilities (KEV).
JasperReports is a Java-based reporting and data analytics platform used for creating, distributing, and managing reports and dashboards.
Two Important Flaws Exploited by Threat Actors
As reported by The Hacker News, the flaws tracked are CVE-2018-5430 (CVSS Score: 7.7) and CVE-2018-18809 (CVSS Score: 9.9), which were previously patched by TIBCO in April 2018, respectively March 2019.
Source: The Hacker News
The first of the two problems, CVE-2018-5430, concerns a server component information disclosure flaw that might give a logged-in user read-only access to any number of files, including essential configurations.
TIBCO noted at the release time of the patch that for this vulnerability the impact includes “the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server,”. The credentials could be afterward used to affect external systems accessed by the JasperReports Server.
The other vulnerability, CVE-2018-18809 is a directory traversal flaw in the JasperReports Library that could allow web server users to access private files on the host, potentially allowing an attacker to steal credentials and access other systems.
Regarding the specifics of how the vulnerabilities are being used as weapons in actual attacks, CISA withheld any further information. By January 19, 2023, federal agencies in the United States must repair their systems.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.