TIBCO JasperReports Server Insecure Direct Object References (IDOR) Vulnerability
Original release date: April 9, 2023
Last revised: ---
CVE-2024-3324
Source: TIBCO Software Inc.
Product(s) Affected
- TIBCO JasperReports Server versions 8.0.4 and below
- TIBCO JasperReports Server versions 8.2.0 and below
Component Affected:
Multi-Tenancy Role based access
Description
The component listed above contains a vulnerability that allows direct access to objects based on user-supplied input and it allows attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. If exploited, this vulnerability allows for malicious interaction with a web application by manipulating a database key, query parameter, or a filename.
Impact
If an affected user is a privileged administrator, successful execution of these vulnerabilities can result in an attacker bypassing Authentication mechanisms. This can result in elevated privileges which grant unauthorized access to sensitive information and the ability to alter the data.
CVSS v3 Base Score: 5.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Solution
- TIBCO JasperReports Server below 8.0.4 to be upgraded to 8.0.4 with latest hotfix
- TIBCO JasperReports Server below 8.2.0 to be upgraded to 8.2.0 with latest hotfix
References
https://community.tibco.com/advisories
CVE-2024-3324