Community Edition versions 7.1.0 and below are affected by four vulnerabilities that allow unauthenticated read access to the contents of the host system and a race-condition vulnerability that may allow any user with domain save privileges to gain superuser privileges. More information about these security issues can be found in the official advisories:
- TIBCO JasperReports Library Directory Traversal Vulnerability - CVE-2018-18809
- TIBCO JasperReports Server Privilege Escalation Via Race Condition - CVE-2018-18808
- TIBCO JasperReports Persistent Cross Site Scripting Vulnerability - CVE-2018-18816
- TIBCO JasperReports Server XML Entity Expansion Vulnerability - CVE-2018-8986
- TIBCO JasperReports Server User Information Disclosure - CVE-2018-18815
TIBCO has released an updated version of the application which addresses these issues. For new application deployments, including the Bitnami Launchpad, we have released JasperReports 7.1.1 containers, installers, virtual machines and cloud images that include the security fixes to address these vulnerabilities. Users launching Bitnami JasperReports via a cloud marketplace are advised to select version 7.1.1, once it is published.
In case you already have a JasperReports server, use the official documentation to upgrade the application and address these issues.
If you have further questions about this security issue or about Bitnami JasperReports, please post in our community forum. Our support team will be happy to help you there!