Login Sign Up

CVE-2018-18815

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass authorization checks in TIBCO JasperReports Server's REST API, potentially accessing sensitive data and functionality. Affected systems include multiple TIBCO JasperReports products up to version 7.1.0.

💻 Affected Systems

Products:
  • TIBCO JasperReports Server
  • TIBCO JasperReports Server Community Edition
  • TIBCO JasperReports Server for ActiveMatrix BPM
  • TIBCO Jaspersoft for AWS with Multi-Tenancy
  • TIBCO Jaspersoft Reporting and Analytics for AWS
Versions: Up to and including 6.4.3 and 7.1.0 (specific versions: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 7.1.0)
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All affected versions in default configuration are vulnerable. The vulnerability exists in the REST API component.

📦 What is this software?

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jasperreports Server by Tibco

View all CVEs affecting Jasperreports Server →

Jaspersoft by Tibco

View all CVEs affecting Jaspersoft →

Jaspersoft Reporting And Analytics by Tibco

View all CVEs affecting Jaspersoft Reporting And Analytics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized access to all reports, data sources, and administrative functions, potentially leading to data exfiltration or system takeover.

🟠

Likely Case

Unauthorized access to sensitive business reports, confidential data, and system configuration information.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls are in place, though authorization bypass remains possible.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances particularly vulnerable to attack.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Theoretical vulnerability with CVSS 10.0 score suggests trivial exploitation. No public exploit code identified, but authorization bypass vulnerabilities are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 6.4.3 and 7.1.0 - consult vendor advisory for specific patched versions

Vendor Advisory: https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-server-2018-18815

Restart Required: Yes

Instructions:

1. Review vendor advisory for specific patched versions. 2. Apply vendor-provided patches or upgrade to fixed versions. 3. Restart JasperReports Server services. 4. Verify the fix by testing authorization controls.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to JasperReports Server to only trusted IP addresses and networks

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Reverse Proxy with Authentication

all

Place JasperReports Server behind a reverse proxy that enforces authentication before requests reach the vulnerable REST API

Configure Apache/Nginx with authentication: auth_basic 'Restricted'; auth_basic_user_file /path/to/.htpasswd;

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to only necessary users
  • Deploy a web application firewall (WAF) with rules to detect and block authorization bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check JasperReports Server version against affected versions list. Attempt to access REST API endpoints without authentication to test authorization controls.

Check Version:

Check JasperReports Server web interface or configuration files for version information. Typically visible in admin console or /jasperserver/login.html

Verify Fix Applied:

After patching, attempt to access protected REST API endpoints without authentication - should receive proper authorization errors. Verify version is updated beyond affected versions.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated access attempts to REST API endpoints
  • Access to protected resources from unauthenticated IP addresses
  • Unusual access patterns to /rest_v2/ endpoints

Network Indicators:

  • HTTP requests to JasperReports REST API without authentication headers
  • Unusual traffic patterns to JasperReports Server port (typically 8080)

SIEM Query:

source="jasperreports.log" AND (http_method="GET" OR http_method="POST") AND uri_path="/rest_v2/*" AND user="anonymous"

📊 Metadata

CVE ID: CVE-2018-18815
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-863
Published: March 7, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-18815, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2020-11844 10.0

This CVE describes an incorrect authorization vulnerability in Micro Focus Container Deployment Foun...

Same vulnerability type (CWE-863)