CVE-2018-5430

HIGH KEV

TIBCO JasperReports Server - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2018-5430 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 29, 2022. EIP tracks 1 public exploit from researchers including Hector Monsegur.

AI-analyzed exploit summary The document details an authenticated directory traversal vulnerability in TIBCO JasperReports, allowing attackers to bypass access controls and read arbitrary files. It includes technical analysis of the vulnerability, affected code paths, and proof-of-concept examples for exploiting the flaw.

Description

The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2.

Exploits (1)

exploitdb WRITEUP

by Hector Monsegur · textwebappsmultiple

https://www.exploit-db.com/exploits/44623

View Code ZIP pw:eip

The document details an authenticated directory traversal vulnerability in TIBCO JasperReports, allowing attackers to bypass access controls and read arbitrary files. It includes technical analysis of the vulnerability, affected code paths, and proof-of-concept examples for exploiting the flaw.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: TIBCO JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2)

Auth required

Prerequisites: Authenticated access to the JasperReports application

MITRE ATT&CK

T1006 - Direct Volume Access T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-5430

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44623/

Exploit, Third Party Advisory x_refsource_misc

https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/

Broken Link, Vendor Advisory x_refsource_confirm

https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430

Scores

CVSS v3 8.8

EPSS 0.4919

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2022-12-29

VulnCheck KEV 2022-12-29

InTheWild.io 2022-12-29

ENISA EUVD EUVD-2018-17200

CWE

CWE-22 CWE-200

Status published

Products (9)

tibco/jasperreports_server 6.3.0

tibco/jasperreports_server 6.3.2

tibco/jasperreports_server 6.3.3

tibco/jasperreports_server 6.4.0

tibco/jasperreports_server 6.4.2

tibco/jasperreports_server < 6.2.4

tibco/jasperreports_server < 6.4.2 (2 CPE variants)

tibco/jaspersoft < 6.4.2

tibco/jaspersoft_reporting_and_analytics < 6.4.2

Published Apr 17, 2018

KEV Added Dec 29, 2022

Tracked Since Feb 18, 2026