What this actually is.
Technical background, root cause, and affected surface.
The directory traversal vulnerability may theoretically allow web server users to access the contents of the host system.
*Affected Products: TIBCO JasperReports Library versions 6.3.4 and below, TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21, TIBCO JasperReports Library version 7.1.0, TIBCO JasperReports Library version 7.2.0, TIBCO JasperReports Library Community Edition versions 6.7.0 and below,TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below, TIBCO JasperReports Server versions 6.3.4 and below TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3, TIBCO JasperReports Server version 7.1.0, TIBCO JasperReports Server Community Edition versions 6.4.3 and below, TIBCO JasperReports Server Community Edition version 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below ,TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below
- Vendor
- TIBCO
- Affected Product
- See Full List Below*
- CVE
- CVE-2018-18809
- Securin ID
- 2018-CSW-02-1018
- Status
- Fixed
- Date
- October 15, 2018
- Severity
- Medium
- CVSS Score
- 6.5
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
The impact of this vulnerability includes the theoretical possibility that a web server using the provided DefaultWebResourceHandler could expose details of the host system. The disclosed data could include credentials to access other systems.
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
TIBCO JasperReports Library versions 6.3.4 and below update to version 6.3.5 or higher
TIBCO JasperReports Library versions 6.4.1, 6.4.2, and 6.4.21 update to version 6.4.22 or higher
TIBCO JasperReports Library version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Library version 7.2.0 update to version 7.2.1 or higher
TIBCO JasperReports Library Community Edition versions 6.7.0 and below update to version 6.7.1 or higher
TIBCO JasperReports Library for ActiveMatrix BPM versions 6.4.21 and below update to version 6.4.22 or higher
TIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5 or higher
TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to version 6.4.4 or higher
TIBCO JasperReports Server version 7.1.0 update to version 7.1.1 or higher
TIBCO JasperReports Server Community Edition versions 7.1.0 and below update to version 7.1.1 or higher
TIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below update to version 6.4.4 or higher
TIBCO Jaspersoft for AWS with Multi-Tenancy versions 7.1.0 and below update to version 7.1.1 or higher
TIBCO Jaspersoft Reporting and Analytics for AWS versions 7.1.0 and below update to version 7.1.1 or higher
Download and apply the following patch advised as per TIBCO for the affected system, update to the corresponding software versions:
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Discovered in Tibco.
The issue was under investigation.
TIBCO Security Advisory Published.
Demo site fixed and updated.
Disclosed 142 days after discovery · Listed in CISA Known Exploited Vulnerabilities
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.