ZDI-CAN-7654: Jaspersoft JasperReports Server DiagnosticDataCipherer Hard-coded Cryptographic Key Information Disclosure Vulnerability
This vulnerability allows the decryption of the passwords on vulnerable installations of Jaspersoft JasperReports Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within encryption of user passwords in the DiagnosticDataCipherer class. A hard-coded cryptographic key is used which can allow the reversal of the encryption process. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to bypass authentication on the system.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jaspersoft |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-CAN-7654?
The severity of ZDI-CAN-7654 is high due to its potential for unauthenticated password decryption.
How do I fix ZDI-CAN-7654?
To fix ZDI-CAN-7654, update your Jaspersoft JasperReports Server to the latest patched version.
What does ZDI-CAN-7654 affect?
ZDI-CAN-7654 affects installations of Jaspersoft JasperReports Server where user passwords are inadequately encrypted.
Is authentication required to exploit ZDI-CAN-7654?
No, exploitation of ZDI-CAN-7654 does not require authentication.
What specific flaw does ZDI-CAN-7654 involve?
ZDI-CAN-7654 involves a vulnerability in the encryption of user passwords within the DiagnosticDataCipherer class.
- agent/references
- agent/title
- agent/severity
- agent/description
- agent/type
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-19-305
- alias/ZDI-CAN-7654
- alias/CVE-2018-18815
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/jaspersoft
- canonical/jaspersoft