CISA: JasperReports flaws under active exploitation

Two old security vulnerabilities impacting TIBCO Software's Java-based reporting and data analytics platform JasperReports are being leveraged in ongoing attacks, prompting their addition to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, reports The Hacker News. Threat actors have been exploiting CVE-2018-5430, an information disclosure flaw patched in April 2018, to facilitate read-only access to arbitrary files. "The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server," said TIBCO. Meanwhile, CVE-2018-18809, a directory traversal bug addressed in March 2019, could be abused to enable sensitive file access for web server users and eventually allow credential theft and further system infiltrations. While no specifics have been provided by CISA regarding the ongoing attacks leveraging the flaws, federal agencies have been required to remediate both vulnerabilities by Jan. 19.