- CISA has added two vulnerabilities to its Known Exploited Vulnerabilities catalog, impacting TIBCO’s JasperReports.
- The vulnerabilities were fixed years ago, hackers are still exploiting these vulnerabilities on unpatched systems.
- All FCEB agencies are required to remediate the identified vulnerabilities before the 19th of January, 2023.
The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. Although the vulnerabilities were addressed in 2018 and 2019, CISA’s decision shows that they are under active exploitation. The vulnerabilities are impacting TIBCO Software’s JasperReports product.
JasperReports
The vulnerabilities are tracked as CVE-2018-5430 and CVE-2018-18809 and have CVSS scores of 7.7 and 9.9 respectively. JasperReports is a Java-based reporting and data analytics platform, that enables users to create, distribute, and manage reports and dashboards.
CVE-2018-5430 is found in JasperReports Server and named JasperReports Server Information Disclosure Vulnerability. The vulnerability allows any authenticated user read-only access to the contents of the web application, including key configuration files. The second one, tracked as CVE-2018-18809, is found in JasperReports Library and named JasperReports Library Directory Traversal Vulnerability. It may allow web server users to access the contents of the host system.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires FCEB agencies to remediate identified vulnerabilities by the 19 of January. CISA also urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.