Candidate: CVE-2017-5528
PublicDate: 2017-06-29 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5528
 https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017
Description:
 Multiple JasperReports Server components contain vulnerabilities which may
 allow authorized users to perform cross-site scripting (XSS) and cross-site
 request forgery (CSRF) attacks.  The impact of this vulnerability includes
 the theoretical disclosure of sensitive information.  Affects TIBCO
 JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0),
 TIBCO JasperReports Server Community Edition (versions 6.3.0 and below),
 TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below),
 TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and
 TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and
 below).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880467
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_jasperreports:
upstream_jasperreports: released (6.3.1)
precise/esm_jasperreports: DNE
trusty_jasperreports: ignored (out of standard support)
trusty/esm_jasperreports: DNE
xenial_jasperreports: ignored (end of standard support, was needed)
bionic_jasperreports: not-affected
focal_jasperreports: DNE
groovy_jasperreports: DNE
hirsute_jasperreports: DNE
impish_jasperreports: DNE
jammy_jasperreports: DNE
devel_jasperreports: DNE