Two JasperReports flaws have been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Exploited Vulnerabilities Catalog. The library is reportedly the world’s most popular open source reporting engine and now includes flaws in the JasperReports software that enable non-technical users to create reports and perform more functions. The CISA allegedly learned about the vulnerabilities in 2018, but they have been exploited in attacks since.
The flaws include a critical directory traversal issue that allows webserver users to access host system data, including credentials to accessing additional systems The flaw was originally patched in March 2019. The reported flaw affects the products of major vendors of JasperReports such as IBM products. The other bug is a high-severity information disclosure issue that affects the JasperReports server and was addressed in April 2018. Those impacted should implement the patches immediately and refer to the CISA’s report.
Read More: CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks