TIBCO JasperReports Server Remote Code Execution (RCE) vulnerability
Original release date: April 09, 2024
Last revised: ---
CVE-2024-3326
Source: TIBCO Software Inc.
Product(s) Affected
- TIBCO JasperReports Server versions 8.0.4 and below
- TIBCO JasperReports Server versions 8.2.0 and below
Component Affected
JDBC URL Validation
Description
The component listed above contains arbitrary code on a remote machine, connecting to it over public or private networks. The code execution can be exploited even without prior access to the system. Successful execution is equivalent to a full compromise of the affected system or application. RCE executes malicious code and takes over an affected system. After gaining access to the system, this vulnerability could be utilized to elevate privileges from user level to admin.
Impact
Successful RCE attack can be an entry point leading to subsequent attacks. The major impact(s) could be privilege escalation, network compromise, Denial of Service, and or ransomware attack.
CVSS v3 Base Score: 9.1(Critical) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Solution
- TIBCO JasperReports Server below 8.0.4 to be upgraded to 8.0.4 with latest hotfix
- TIBCO JasperReports Server below 8.2.0 to be upgraded to 8.2.0 with latest hotfix
References
https://community.tibco.com/advisories
CVE-2024-3326