Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

Markus Koschany apo at debian.org
Tue Oct 31 21:45:32 UTC 2017


Package: jasperreports
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for jasperreports.

I couldn't find much information about them, so I asked a question on
the community board for jasperreports.

https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529


CVE-2017-14941[0]:
| Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure
| vulnerability, which allows a remote authenticated user to retrieve
| stored Data Source passwords by accessing flow.html and reading the
| HTML source code of the page reached in an Edit action for a Data
| Source connector.

CVE-2017-5528[1]:
| Multiple JasperReports Server components contain vulnerabilities
| which may allow authorized users to perform cross-site scripting
| (XSS) and cross-site request forgery (CSRF) attacks.  The impact of
| this vulnerability includes the theoretical disclosure of sensitive
| information.  Affects TIBCO JasperReports Server (versions 6.1.1 and
| below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community
| Edition (versions 6.3.0 and below), TIBCO JasperReports Server for
| ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS
| with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft
| Reporting and Analytics for AWS (versions 6.2.0 and below).

CVE-2017-5529[2]:
| JasperReports library components contain an information disclosure
| vulnerability. This vulnerability includes the theoretical disclosure
| of any accessible information from the host file system. Affects TIBCO
| JasperReports Library Community Edition (versions 6.4.0 and below),
| TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and
| below), TIBCO JasperReports Professional (versions 6.2.1 and below,
| and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below,
| 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition
| (versions 6.3.0 and below), TIBCO JasperReports Server for
| ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS
| with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft
| Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO
| Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14941
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14941
[1] https://security-tracker.debian.org/tracker/CVE-2017-5528
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528
[2] https://security-tracker.debian.org/tracker/CVE-2017-5529
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5529

Please adjust the affected versions in the BTS as needed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20171031/24cd6626/attachment.sig>


More information about the pkg-java-maintainers mailing list