IRONSMITHINTEL
MEDIUMCVSS6.5
|
Actively Exploited
|CISA KEV|CVE-2018-18809|Auth: low — authenticated user|Reboot: required|Manual only

TIBCO JasperReports Library Directory Traversal Vulnerability

TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system.

Published Mar 7, 2019 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, with a low-privilege account, can achieve full data confidentiality loss. Federal agencies are required to remediate by 2023-01-19 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Path Traversal (CWE-22) vulnerability in TIBCO JasperReports. The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running jasperreports library: v ≤ 6.4.21, v ≤ 6.7.0, 7.1.0, 7.2.0; jasperreports server: v ≤ 6.4.3, 7.1.0; jaspersoft: v ≤ 7.1.0; jaspersoft reporting and analytics: v ≤ 7.1.0
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2018-18809
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-18809
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2018-18809NVDVendor Advisory