Package: jasperreports X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, the following vulnerabilities were published for jasperreports. I couldn't find much information about them, so I asked a question on the community board for jasperreports. https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529 CVE-2017-14941[0]: | Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure | vulnerability, which allows a remote authenticated user to retrieve | stored Data Source passwords by accessing flow.html and reading the | HTML source code of the page reached in an Edit action for a Data | Source connector. CVE-2017-5528[1]: | Multiple JasperReports Server components contain vulnerabilities | which may allow authorized users to perform cross-site scripting | (XSS) and cross-site request forgery (CSRF) attacks. The impact of | this vulnerability includes the theoretical disclosure of sensitive | information. Affects TIBCO JasperReports Server (versions 6.1.1 and | below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community | Edition (versions 6.3.0 and below), TIBCO JasperReports Server for | ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS | with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft | Reporting and Analytics for AWS (versions 6.2.0 and below). CVE-2017-5529[2]: | JasperReports library components contain an information disclosure | vulnerability. This vulnerability includes the theoretical disclosure | of any accessible information from the host file system. Affects TIBCO | JasperReports Library Community Edition (versions 6.4.0 and below), | TIBCO JasperReports Library for ActiveMatrix BPM (versions 6.2.0 and | below), TIBCO JasperReports Professional (versions 6.2.1 and below, | and 6.3.0), TIBCO JasperReports Server (versions 6.1.1 and below, | 6.2.0, 6.2.1, 6.3.0), TIBCO JasperReports Server Community Edition | (versions 6.3.0 and below), TIBCO JasperReports Server for | ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS | with Multi-Tenancy (versions 6.3.0 and below), TIBCO Jaspersoft | Reporting and Analytics for AWS (versions 6.3.0 and below), and TIBCO | Jaspersoft Studio for ActiveMatrix BPM (versions 6.2.0 and below). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14941 [1] https://security-tracker.debian.org/tracker/CVE-2017-5528 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528 [2] https://security-tracker.debian.org/tracker/CVE-2017-5529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5529 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature