CVE-2018-5430
Published: 17 April 2018
Summary
CVE-2018-5430 is a high-severity Path Traversal (CWE-22) vulnerability in Tibco Jasperreports Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2018-5430 affects the Spring web flows component in TIBCO JasperReports Server (including Community Edition, for ActiveMatrix BPM, Jaspersoft for AWS with Multi-Tenancy, and Jaspersoft Reporting and Analytics for AWS). The vulnerability, present in versions up to and including 6.2.4, 6.3.0, 6.3.2, 6.3.3, 6.4.0, and 6.4.2, stems from improper handling that permits path traversal and information exposure (CWE-22 and CWE-200), enabling read-only access to arbitrary web application contents such as configuration files.
Any authenticated user can exploit the flaw over the network with low complexity to retrieve sensitive files from the application, potentially exposing credentials or other internal data. The CVSS 3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability despite the read-only limitation described.
Public references include a TIBCO security advisory dated April 17, 2018, along with technical analysis and working exploits published on Exploit-DB and by Rhino Security Labs, indicating that proof-of-concept code is readily available for this authenticated file-read issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-17200
Vulnerability details
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which…
more
may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.
- CWE(s)
- KEV Date Added
- 29 December 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies on web application resources to block authenticated users from reading arbitrary configuration files via the Spring web flows path traversal flaw.
Requires validation of user-supplied input (e.g., file paths) to prevent the path traversal and information exposure that enables read access to restricted web application contents.
Limits privileges of authenticated accounts so they cannot reach configuration files or other sensitive application data even if the Spring web flows check is bypassed.