CVE-2020-9409
TIBCO JasperReports Server Fails To Enforce Access Restrictions
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
El componente de la Interfaz de Usuario administrativa de TIBCO JasperReports Server, TIBCO JasperReports Server para AWS Marketplace, y TIBCO JasperReports Server para ActiveMatrix BPM, de TIBCO Software Inc, contiene una vulnerabilidad que teóricamente permite a un atacante no autenticado conseguir los permisos de un "superuser" de JasperReports Server para los sistemas afectados. El atacante puede, teóricamente explotar la vulnerabilidad consistentemente, remotamente y sin autenticación. Las versiones afectadas son TIBCO JasperReports Server de TIBCO Software Inc: versiones 7.1.1 y por debajo, TIBCO JasperReports Server para AWS Marketplace: versiones 7.1.1 y por debajo, y TIBCO JasperReports Server para ActiveMatrix BPM: versiones 7.1.1 y por debajo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-02-26 CVE Reserved
- 2020-05-20 CVE Published
- 2023-03-07 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-276: Incorrect Default Permissions
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuoct2020.html | 2023-11-07 |
URL | Date | SRC |
---|---|---|
http://www.tibco.com/services/support/advisories | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Tibco Search vendor "Tibco" | Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server" | <= 7.1.1 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 7.1.1" | - |
Affected
| ||||||
Tibco Search vendor "Tibco" | Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server" | <= 7.1.1 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 7.1.1" | activematrix_bpm |
Affected
| ||||||
Tibco Search vendor "Tibco" | Jasperreports Server Search vendor "Tibco" for product "Jasperreports Server" | <= 7.1.1 Search vendor "Tibco" for product "Jasperreports Server" and version " <= 7.1.1" | aws_marketplace |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 15.0 Search vendor "Oracle" for product "Retail Order Broker" and version "15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker" | 16.0 Search vendor "Oracle" for product "Retail Order Broker" and version "16.0" | - |
Affected
|