Updated on 2022-12-30
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports vulnerabilities to its known exploited vulnerabilities catalog: CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9). The flaws were disclosed in 2018; fixes are available for both flaws. CISA says it has become aware that the vulnerabilities – an information disclosure flaw in JasperReports Server and a directory traversal flaw in JasperReports Library – are being actively exploited. Federal civilian agencies have until January 19 to mitigate the flaws on their systems.
Note
- The two flaws, CVE-2018-5430 and CVE-2018-18809 have patches from TIBCO, also released in 2018. Make sure that you’re running the updated JasperReports server, library, and reporting engines.
- The most obvious use of this database is to prioritize patching. However, consider consulting it as an indicator of quality before buying a product.
Read more in
- Known Exploited Vulnerabilities Catalog
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- TIBCO Security Advisory: April 17, 2018 – TIBCO JasperReports – 2018-5430
- Security Bulletin: TIBCO JasperReports Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2020-9410, CVE-2018-18809)
Overview: CISA KEV update
CISA has updated its KEV database with two new vulnerabilities that are being exploited in the wild. Both are vulnerabilities in the JasperReports library that were disclosed and patched in 2018 (CVE-2018-5430 and CVE-2018-18809) but have recently come under attack.