Security vulnerability CVE-2020-9410 for jasper-report library v6.8.1

3

Hi All,

We're using standalone jasperreports library v6.8.1(community edition) in embedded mode with our product. As per published CVE-2020-9410, it seems all the jasperreports version 7.1.1 and below are vulnerable for this security issue. Can you please confirm if this is applicable for jasperreport library 6.8.1 when used inside application which doesn't uses Jasper's HTML component to render the report-output? If yes, then which version of jasperreports library wil fix this issue and what is the release date for this? WIll there be any patch for existing versions like v6.8.1.

 

Thanks, 

Sameer Mandaokar

Sameer Mandaokar's picture
Joined: Jan 25 2019 - 6:04am
Last seen: 2 months 2 weeks ago

Anybody can confirm?

OWASP dependency scan detected high severity but low confidence level. Currently, the maven repository the highest level is 6.12.2. No release note information indicate it is fixing the CVE issue. 

nicksgg - 4 months 1 week ago

any information on this?

nicksgg - 4 months 1 week ago

2 Answers:

0

Please refer to these resources.  As TIBCO employees, we are not at liberty to discuss these CVE's outside of these resources:

Security Advisories

TIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.

Public Security Notices

TIBCO’s response to general publicly announced security issues can be found on our Public Notices page.

 

djohnson53's picture
103700
Joined: May 25 2012 - 11:10am
Last seen: 3 hours 53 min ago
1

https://github.com/TIBCOSoftware/jasperreports/issues/132#issuecomment-633465921
> The vulnerability was about the FusionCharts component of JasperReports Library Professional, which does not exist in JasperReports Library Community Edition.

okui's picture
12
Joined: May 29 2015 - 2:43am
Last seen: 4 months 1 week ago
Feedback
randomness