CVE-2020-9409
CRITICALTIBCO JasperReports Server < 7.1.1 - Unauthenticated Privilege Escalation to Superuser
Title source: llmDescription
The administrative UI component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, and TIBCO JasperReports Server for ActiveMatrix BPM contains a vulnerability that theoretically allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can theoretically exploit the vulnerability consistently, remotely, and without authenticating. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 7.1.1 and below, TIBCO JasperReports Server for AWS Marketplace: versions 7.1.1 and below, and TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.1.1 and below.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
http://www.tibco.com/services/support/advisories
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Scores
CVSS v3
9.8
EPSS
0.0314
EPSS Percentile
87.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (3)
oracle/retail_order_broker
15.0
oracle/retail_order_broker
16.0
tibco/jasperreports_server
< 7.1.1 (3 CPE variants)
Published
May 20, 2020
Tracked Since
Feb 18, 2026