Sign-up

ID

VAR-202005-0877


CVE

CVE-2020-9409


TITLE

plural TIBCO JasperReports Server Inappropriate default permissions in the product

Trust: 0.8

sources: JVNDB: JVNDB-2020-005643

DESCRIPTION

The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below. (DoS) It may be put into a state. TIBCO Software JasperReports Server is an embeddable report server from TIBCO Software in the United States. It provides reporting and analysis functions that can be embedded in Web or mobile devices. An attacker could use this vulnerability to obtain the superuser privileges of JasperReports Server and execute arbitrary code

Trust: 2.16

sources: NVD: CVE-2020-9409 // JVNDB: JVNDB-2020-005643 // CNVD: CNVD-2020-34447

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-34447

AFFECTED PRODUCTS

vendor:oraclemodel:retail order brokerscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:retail order brokerscope:eqversion:16.0

Trust: 1.0

vendor:tibcomodel:jasperreports serverscope:lteversion:7.1.1

Trust: 1.0

vendor:tibcomodel:jasperreports serverscope: - version: -

Trust: 0.8

vendor:tibcomodel:jasperreports serverscope:eqversion:for aws marketplace

Trust: 0.8

vendor:tibcomodel:jasperreports server for activematrix bpmscope: - version: -

Trust: 0.8

vendor:tibcomodel:software tibco jasperreports serverscope:lteversion:<=7.1.1

Trust: 0.6

vendor:tibcomodel:software tibco jasperreports server for aws marketplacescope:lteversion:<=7.1.1

Trust: 0.6

vendor:tibcomodel:software tibco jasperreports server for activematrix bpmscope:lteversion:<=7.1.1

Trust: 0.6

sources: CNVD: CNVD-2020-34447 // JVNDB: JVNDB-2020-005643 // NVD: CVE-2020-9409

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9409
value: CRITICAL

Trust: 1.0

security@tibco.com: CVE-2020-9409
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-005643
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-34447
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202005-1084
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2020-9409
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-005643
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-34447
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-9409
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-005643
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-34447 // JVNDB: JVNDB-2020-005643 // CNNVD: CNNVD-202005-1084 // NVD: CVE-2020-9409 // NVD: CVE-2020-9409

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.8

sources: JVNDB: JVNDB-2020-005643 // NVD: CVE-2020-9409

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-1084

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202005-1084

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005643

PATCH
title:Security Advisoriesurl:http://www.tibco.com/services/support/advisories
Trust: 0.8
title:TIBCO Security Advisory: May 19, 2020 - TIBCO JasperReports Serverurl:https://www.tibco.com/support/advisories/2020/05/tibco-security-advisory-may-19-2020-tibco-jasperreports-server
Trust: 0.8
title:Patch for TIBCO Software TIBCO JasperReports Server privilege elevation vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/222915
Trust: 0.6
title:TIBCO Software TIBCO JasperReports Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119146
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-34447 // 
            
            
            
            JVNDB: JVNDB-2020-005643 // 
            
            
            
            CNNVD: CNNVD-202005-1084

EXTERNAL IDS
db:NVDid:CVE-2020-9409
Trust: 3.0
db:JVNDBid:JVNDB-2020-005643
Trust: 0.8
db:CNVDid:CNVD-2020-34447
Trust: 0.6
db:CNNVDid:CNNVD-202005-1084
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-34447 // 
            
            
            
            JVNDB: JVNDB-2020-005643 // 
            
            
            
            CNNVD: CNNVD-202005-1084 // 
            
            
            
            NVD: CVE-2020-9409

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2020-9409
Trust: 2.0
url:http://www.tibco.com/services/support/advisories
Trust: 1.6
url:https://www.oracle.com/security-alerts/cpuoct2020.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9409
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-34447 // 
            
            
            
            JVNDB: JVNDB-2020-005643 // 
            
            
            
            CNNVD: CNNVD-202005-1084 // 
            
            
            
            NVD: CVE-2020-9409

SOURCES
db:CNVDid:CNVD-2020-34447
db:JVNDBid:JVNDB-2020-005643
db:CNNVDid:CNNVD-202005-1084
db:NVDid:CVE-2020-9409

LAST UPDATE DATE
2024-11-23T22:51:21.527000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-34447date:2020-06-23T00:00:00
db:JVNDBid:JVNDB-2020-005643date:2020-06-19T00:00:00
db:CNNVDid:CNNVD-202005-1084date:2020-10-21T00:00:00
db:NVDid:CVE-2020-9409date:2024-11-21T05:40:35.017

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-34447date:2020-06-23T00:00:00
db:JVNDBid:JVNDB-2020-005643date:2020-06-19T00:00:00
db:CNNVDid:CNNVD-202005-1084date:2020-05-20T00:00:00
db:NVDid:CVE-2020-9409date:2020-05-20T13:15:10.317