6.8 - VU#519588

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	JasperServer cross-site request forgery vulnerability

Informations
Name	VU#519588	First vendor Publication	2011-09-15
Vendor	VU-CERT	Last vendor Modification	2011-09-15
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#519588

JasperServer cross-site request forgery vulnerability

Overview

JasperSoft's JasperServer is vulnerable to a cross-site request forgery (CSRF) vulnerability.

I. Description

According to JasperSoft's website: "JasperReports Server is a powerful, yet flexible and lightweight reporting server. Generate, organize, secure, and deliver interactive reports and dashboards to users. Allow non-technical users to build their own reports and dashboards." The JasperSoft's JasperServer fails to adequately randomize certain parameters within the application creating cross-site request forgery (CSRF) vulnerabilities. According to the vulnerability reporter "One of the parameters (_flowExecutionKey)is predictable and can be determined with a very high probability of success in bruteforce attacks with less than 100 requests".

This vulnerability has been reported to affect JasperServer 3.7.0 Community Edition and JasperServer 3.7.1 Community Edition. Other versions may be affected.

II. Impact

By convincing a victim to load a specially crafted URL while authenticated to a JasperServer, an attacker could obtain user credentials or perform certain actions as that user. Exploiting the CSRF vulnerabilities could allow an attacker to take certain actions via the web interface, including adding users to the JasperServer.

III. Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Consider setting up management networks as separate and dedicated channels. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a JasperServer using stolen credentials from a blocked network location.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Jaspersoft Corporation	Affected	2011-03-03	2011-09-12

References

http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html

Credit

Thanks to Computer Security Incident Response Team of the Valencian Community for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:	2011-09-15
Date First Published:	2011-09-15
Date Last Updated:	2011-09-15
CERT Advisory:
CVE-ID(s):	CVE-2011-1911
NVD-ID(s):	CVE-2011-1911
US-CERT Technical Alerts:
Severity Metric:	0.65
Document Revision:	15

Original Source

Url : http://www.kb.cert.org/vuls/id/519588

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Jasperforge Jasperreports Server Community Project cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.1:::::::* cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.0:::::::*	2

Open Source Vulnerability Database (OSVDB)

Id	Description
75535	JasperReports Server User Addition CSRF JasperReports Server contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the addition of users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

Description

75535

JasperReports Server User Addition CSRF

JasperReports Server contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the addition of users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	2
osvdb(s)	1

	Related
6.8	CVE-2011-1911
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)