We're using standalone jasperreports library v6.8.1(community edition) in embedded mode with our product. As per published CVE-2020-9410, it seems all the jasperreports version 7.1.1 and below are vulnerable for this security issue. Can you please confirm if this is applicable for jasperreport library 6.8.1 when used inside application which doesn't uses Jasper's HTML component to render the report-output? If yes, then which version of jasperreports library wil fix this issue and what is the release date for this? WIll there be any patch for existing versions like v6.8.1.
Please refer to these resources. As TIBCO employees, we are not at liberty to discuss these CVE's outside of these resources:
TIBCO distributes information about security vulnerabilities and remediation in its products through security advisories.
Public Security Notices
TIBCO’s response to general publicly announced security issues can be found on our Public Notices page.
> The vulnerability was about the FusionCharts component of JasperReports Library Professional, which does not exist in JasperReports Library Community Edition.
Anybody can confirm?
OWASP dependency scan detected high severity but low confidence level. Currently, the maven repository the highest level is 6.12.2. No release note information indicate it is fixing the CVE issue.
any information on this?