TIBCO JasperReports Server SQL Injection vulnerability
Original release date: April 9, 2023
Last revised: ---
CVE-2024-3327
Source: TIBCO Software Inc.
Product(s Affected)
- TIBCO JasperReports Server versions 8.0.4 and below
- TIBCO JasperReports Server versions 8.2.0 and below
Component Affected
Query Executions
Description
The component listed above contains a piece of SQL code to manipulate a database and gain access to sensitive information. It's most prevalent that could be used against web applications which use an SQL-based database. Applications with a higher prevalence of older functional interfaces are more susceptible to SQL Injection flaws compared to recent technologies, thus forcing the SQL server to execute an unintended operation constructed using untrusted input.
Impact
In the worst case, a successful SQL injection attack can cause serious consequences and may risk exposing sensitive data stored on SQL server. It allows access to systems without credentials which could allow unauthorized access and manipulation of sensitive information..
CVSS v3 Base Score: 5.5 (Medium) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Solution
- TIBCO JasperReports Server below 8.0.4 to be upgraded to 8.0.4 with latest hotfix
- TIBCO JasperReports Server below 8.2.0 to be upgraded to 8.2.0 with latest hotfix
References
https://community.tibco.com/advisories
CVE-2024-3327
