cve/2018/CVE-2018-5430.md

### [CVE-2018-5430](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5430)
![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server%20Community%20Edition&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server%20for%20ActiveMatrix%20BPM&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20Jaspersoft%20Reporting%20and%20Analytics%20for%20AWS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20Jaspersoft%20for%20AWS%20with%20Multi-Tenancy&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=The%20impact%20includes%20the%20possible%20read-only%20access%20by%20authenticated%20users%20to%20web%20application%20configuration%20files%20that%20contain%20the%20credentials%20used%20by%20the%20server.%20Those%20credentials%20could%20then%20be%20used%20to%20affect%20external%20systems%20accessed%20by%20the%20JasperReports%20Server.%0A&color=brighgreen)

### Description

The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

### POC

#### Reference
- https://www.exploit-db.com/exploits/44623/

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/xaitax/cisa-catalog-known-vulnerabilities
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2018-5430](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5430)`
			`![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server%20Community%20Edition&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server%20for%20ActiveMatrix%20BPM&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20JasperReports%20Server&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20Jaspersoft%20Reporting%20and%20Analytics%20for%20AWS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=TIBCO%20Jaspersoft%20for%20AWS%20with%20Multi-Tenancy&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=The%20impact%20includes%20the%20possible%20read-only%20access%20by%20authenticated%20users%20to%20web%20application%20configuration%20files%20that%20contain%20the%20credentials%20used%20by%20the%20server.%20Those%20credentials%20could%20then%20be%20used%20to%20affect%20external%20systems%20accessed%20by%20the%20JasperReports%20Server.%0A&color=brighgreen)`

			`### Description`

			The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

			`### POC`

			`#### Reference`
			`- https://www.exploit-db.com/exploits/44623/`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/Ostorlab/KEV`
			`- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors`
			`- https://github.com/xaitax/cisa-catalog-known-vulnerabilities`