Cyber Resilience

CVE-2018-18809

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 March 2019

Published
07 March 2019
Modified
07 November 2025
KEV Added
29 December 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9391 99.9th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-18809 is a medium-severity Path Traversal (CWE-22) vulnerability in Tibco Jasperreports Library. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2018-18809 is a directory-traversal flaw, tracked as CWE-22, in the default server implementation of TIBCO JasperReports Library, TIBCO JasperReports Server, and related editions including the Community Edition, versions for ActiveMatrix BPM, and Jaspersoft variants for AWS. Affected releases encompass TIBCO JasperReports Library through 7.2.0, TIBCO JasperReports Server through 7.1.0, and numerous intermediate versions such as 6.4.x and 6.3.x releases across the product line, carrying a CVSS 3.1 score of 6.5.

An authenticated remote attacker with web server user privileges can send crafted requests to read arbitrary files on the underlying host system, achieving disclosure of sensitive host contents while requiring no user interaction and operating with network attack vector and low complexity.

Vendor advisories and additional technical details are referenced at the TIBCO support site along with disclosures on Packet Storm, Seclists, and SecurityFocus.

EU & UK References

Vulnerability details

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS…

more

with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

CWE(s)
KEV Date Added
29 December 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tibco
jasperreports library
7.1.0, 7.2.0 · ≤ 6.4.21 · ≤ 6.7.0
tibco
jasperreports server
7.1.0 · ≤ 6.4.3 · ≤ 6.4.3
tibco
jaspersoft
≤ 7.1.0
tibco
jaspersoft reporting and analytics
≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (e.g., file paths or report parameters) to block the crafted requests that enable directory traversal.

prevent

Enforces access-control policy on resources so that authenticated web users cannot reach arbitrary host files outside the intended JasperReports scope.

prevent

Implements information-flow rules that would deny the unauthorized read of host-system files resulting from the traversal.

References