cvelist/2019/8xxx/CVE-2019-8986.json

{
   "CVE_data_meta" : {
      "ASSIGNER" : "security@tibco.com",
      "DATE_PUBLIC" : "2019-03-06T17:00:00.000Z",
      "ID" : "CVE-2019-8986",
      "STATE" : "PUBLIC",
      "TITLE" : "TIBCO JasperReports Server XML Entity Expansion Vulnerability"
   },
   "affects" : {
      "vendor" : {
         "vendor_data" : [
            {
               "product" : {
                  "product_data" : [
                     {
                        "product_name" : "TIBCO JasperReports Server",
                        "version" : {
                           "version_data" : [
                              {
                                 "affected" : "<=",
                                 "version_value" : "6.3.4"
                              },
                              {
                                 "affected" : "=",
                                 "version_value" : "6.4.0"
                              },
                              {
                                 "affected" : "=",
                                 "version_value" : "6.4.1"
                              },
                              {
                                 "affected" : "=",
                                 "version_value" : "6.4.2"
                              },
                              {
                                 "affected" : "=",
                                 "version_value" : "6.4.3"
                              }
                           ]
                        }
                     },
                     {
                        "product_name" : "TIBCO JasperReports Server for ActiveMatrix BPM",
                        "version" : {
                           "version_data" : [
                              {
                                 "affected" : "<=",
                                 "version_value" : "6.4.3"
                              }
                           ]
                        }
                     }
                  ]
               },
               "vendor_name" : "TIBCO Software Inc."
            }
         ]
      }
   },
   "credit" : [
      {
         "lang" : "eng",
         "value" : "TIBCO would like to extend its appreciation to Julien Szlamowicz and Sebastien Dudek of Synacktiv for discovery of this vulnerability."
      }
   ],
   "data_format" : "MITRE",
   "data_type" : "CVE",
   "data_version" : "4.0",
   "description" : {
      "description_data" : [
         {
            "lang" : "eng",
            "value" : "The SOAP API component vulnerability of TIBCO Software Inc.'s TIBCO JasperReports Server, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that may allow a malicious authenticated user to copy text files from the host operating system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3."
         }
      ]
   },
   "impact" : {
      "cvss" : {
         "attackComplexity" : "LOW",
         "attackVector" : "NETWORK",
         "availabilityImpact" : "NONE",
         "baseScore" : 7.7,
         "baseSeverity" : "HIGH",
         "confidentialityImpact" : "HIGH",
         "integrityImpact" : "NONE",
         "privilegesRequired" : "LOW",
         "scope" : "CHANGED",
         "userInteraction" : "NONE",
         "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
         "version" : "3.0"
      }
   },
   "problemtype" : {
      "problemtype_data" : [
         {
            "description" : [
               {
                  "lang" : "eng",
                  "value" : "foo"
               }
            ]
         }
      ]
   },
   "references" : {
      "reference_data" : [
         {
            "name" : "http://www.tibco.com/services/support/advisories",
            "refsource" : "MISC",
            "url" : "http://www.tibco.com/services/support/advisories"
         },
         {
            "name" : "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-8986",
            "refsource" : "CONFIRM",
            "url" : "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-8986"
         }
      ]
   },
   "solution" : [
      {
         "lang" : "eng",
         "value" : "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5 or higher\n  TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to version 6.4.4 or higher\n\nTIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below update to version 6.4.4 or higher\n"
      }
   ],
   "source" : {
      "discovery" : "EXTERNAL"
   }
}
- Synchronized data. 2019-02-21 16:04:56 -05:00			`{`
			`"CVE_data_meta" : {`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`"ASSIGNER" : "security@tibco.com",`
			`"DATE_PUBLIC" : "2019-03-06T17:00:00.000Z",`
- Synchronized data. 2019-02-21 16:04:56 -05:00			`"ID" : "CVE-2019-8986",`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`"STATE" : "PUBLIC",`
			`"TITLE" : "TIBCO JasperReports Server XML Entity Expansion Vulnerability"`
- Synchronized data. 2019-02-21 16:04:56 -05:00			`},`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`"affects" : {`
			`"vendor" : {`
			`"vendor_data" : [`
			`{`
			`"product" : {`
			`"product_data" : [`
			`{`
			`"product_name" : "TIBCO JasperReports Server",`
			`"version" : {`
			`"version_data" : [`
			`{`
			`"affected" : "<=",`
			`"version_value" : "6.3.4"`
			`},`
			`{`
			`"affected" : "=",`
			`"version_value" : "6.4.0"`
			`},`
			`{`
			`"affected" : "=",`
			`"version_value" : "6.4.1"`
			`},`
			`{`
			`"affected" : "=",`
			`"version_value" : "6.4.2"`
			`},`
			`{`
			`"affected" : "=",`
			`"version_value" : "6.4.3"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name" : "TIBCO JasperReports Server for ActiveMatrix BPM",`
			`"version" : {`
			`"version_data" : [`
			`{`
			`"affected" : "<=",`
			`"version_value" : "6.4.3"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name" : "TIBCO Software Inc."`
			`}`
			`]`
			`}`
			`},`
			`"credit" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "TIBCO would like to extend its appreciation to Julien Szlamowicz and Sebastien Dudek of Synacktiv for discovery of this vulnerability."`
			`}`
			`],`
- Synchronized data. 2019-02-21 16:04:56 -05:00			`"data_format" : "MITRE",`
			`"data_type" : "CVE",`
			`"data_version" : "4.0",`
			`"description" : {`
			`"description_data" : [`
			`{`
			`"lang" : "eng",`
- Synchronized data. 2019-03-07 17:31:16 -05:00			`"value" : "The SOAP API component vulnerability of TIBCO Software Inc.'s TIBCO JasperReports Server, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that may allow a malicious authenticated user to copy text files from the host operating system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3."`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`}`
			`]`
			`},`
			`"impact" : {`
			`"cvss" : {`
			`"attackComplexity" : "LOW",`
			`"attackVector" : "NETWORK",`
			`"availabilityImpact" : "NONE",`
			`"baseScore" : 7.7,`
			`"baseSeverity" : "HIGH",`
			`"confidentialityImpact" : "HIGH",`
			`"integrityImpact" : "NONE",`
			`"privilegesRequired" : "LOW",`
			`"scope" : "CHANGED",`
			`"userInteraction" : "NONE",`
			`"vectorString" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",`
			`"version" : "3.0"`
			`}`
			`},`
			`"problemtype" : {`
			`"problemtype_data" : [`
			`{`
			`"description" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "foo"`
			`}`
			`]`
- Synchronized data. 2019-02-21 16:04:56 -05:00			`}`
			`]`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`},`
			`"references" : {`
			`"reference_data" : [`
			`{`
- Synchronized data. 2019-03-07 17:31:16 -05:00			`"name" : "http://www.tibco.com/services/support/advisories",`
			`"refsource" : "MISC",`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`"url" : "http://www.tibco.com/services/support/advisories"`
			`},`
			`{`
- Synchronized data. 2019-03-07 17:31:16 -05:00			`"name" : "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-8986",`
			`"refsource" : "CONFIRM",`
TIBCO Jaspersoft suite vulnerabilities. 2019-03-06 08:05:51 -08:00			`"url" : "https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-8986"`
			`}`
			`]`
			`},`
			`"solution" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "TIBCO has released updated versions of the affected components which address these issues. For each affected system, update to the corresponding software versions:\n\nTIBCO JasperReports Server versions 6.3.4 and below update to version 6.3.5 or higher\n TIBCO JasperReports Server versions 6.4.0, 6.4.1, 6.4.2, and 6.4.3 update to version 6.4.4 or higher\n\nTIBCO JasperReports Server for ActiveMatrix BPM versions 6.4.3 and below update to version 6.4.4 or higher\n"`
			`}`
			`],`
			`"source" : {`
			`"discovery" : "EXTERNAL"`
- Synchronized data. 2019-02-21 16:04:56 -05:00			`}`
			`}`