Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529
Markus Koschany
apo at debian.org
Tue Oct 31 21:45:32 UTC 2017
Package: jasperreports
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for jasperreports.
I couldn't find much information about them, so I asked a question on
the community board for jasperreports.
https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529
CVE-2017-14941[0]:
| Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure
| vulnerability, which allows a remote authenticated user to retrieve
| stored Data Source passwords by accessing flow.html and reading the
| HTML source code of the page reached in an Edit action for a Data
| Source connector.
CVE-2017-5528[1]:
| Multiple JasperReports Server components contain vulnerabilities
| which may allow authorized users to perform cross-site scripting
| (XSS) and cross-site request forgery (CSRF) attacks. The impact of
| this vulnerability includes the theoretical disclosure of sensitive
| information. Affects TIBCO JasperReports Server (versions 6.1.1 and
| below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community
| Edition (versions 6.3.0 and below), TIBCO JasperReports Server for
| ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS
| with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft
| Reporting and Analytics for AWS (versions 6.2.0 and below).
CVE-2017-5529[2]:
| JasperReports library components contain an information disclosure
| vulnerability. This vulnerability includes the theoretical disclosure
| of any accessible information from the host file system. Affects TIBCO
| JasperReports Library Community Edition (versions 6.4.0 and below),
| TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and
| below), TIBCO JasperReports Professional (versions 6.2.1 and below,
| and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below,
| 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition
| (versions 6.3.0 and below), TIBCO JasperReports Server for
| ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS
| with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft
| Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO
| Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14941
[1] https://security-tracker.debian.org/tracker/CVE-2017-5528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528
[2] https://security-tracker.debian.org/tracker/CVE-2017-5529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5529
Please adjust the affected versions in the BTS as needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20171031/24cd6626/attachment.sig>
More information about the pkg-java-maintainers
mailing list