Security vulnerability CVE-2020-9410 for jasper-report library v6.8.1

[Sameer Mandaokar]

Hi All,

We're using standalone jasperreports library v6.8.1(community edition) in embedded mode with our product. As per published CVE-2020-9410, it seems all the jasperreports version 7.1.1 and below are vulnerable for this security issue. Can you please confirm if this is applicable for jasperreport library 6.8.1 when used inside application which doesn't uses Jasper's HTML component to render the report-output? If yes, then which version of jasperreports library wil fix this issue and what is the release date for this? WIll there be any patch for existing versions like v6.8.1.

 

Thanks, 

Sameer Mandaokar

[nicksgg]

Anybody can confirm?

OWASP dependency scan detected high severity but low confidence level. Currently, the maven repository the highest level is 6.12.2. No release note information indicate it is fixing the CVE issue. 

[nicksgg]

any information on this?

[okui]

https://github.com/TIBCOSoftware/jasperreports/issues/132#issuecomment-633465921
> The vulnerability was about the FusionCharts component of JasperReports Library Professional, which does not exist in JasperReports Library Community Edition.

[djohnson53]

Please refer to these resources.  As TIBCO employees, we are not at liberty to discuss these CVE's outside of these resources:

Security Advisories

TIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.

Public Security Notices

TIBCO’s response to general publicly announced security issues can be found on our Public Notices page.