CVE-2020-9410 - Githubissues

TIBCOSoftware / jasperreports

JasperReports® - Free Java Reporting Library

https://community.jaspersoft.com/downloads/community-edition/

GNU Lesser General Public License v3.0

1.07k stars 404 forks source link

CVE-2020-9410 #132

Closed NSKuzin closed 4 years ago

NSKuzin commented 4 years ago

A vulnerability has recently been discovered https://nvd.nist.gov/vuln/detail/CVE-2020-9410.

teodord commented 4 years ago

This CVE was reported against JasperReports Library Professional, which is a TIBCO Software product having additional commercial modules on top of JasperReports Library Community Edition. The vulnerability was about the FusionCharts component of JasperReports Library Professional, which does not exist in JasperReports Library Community Edition.

Also, in terms of version numbers, JRL CE has lower version numbers (6.x), compared to JRL Pro, which is nowadays at 7.5.x. Although it appears older, CE 6.x is actually newer compared to Pro 7.5.x.

NSKuzin commented 4 years ago

Thank you for your answer!

nites67 commented 4 years ago

Greetings, Is it false positive ? Can anyone please let me know how to resolve this vulnerability ?

NSKuzin commented 4 years ago

Hi!

As i understood, this is false positive. You could temporarry suppress it by adding

    <suppress>
        <notes><![CDATA[file name: jasperreports-<your_version>.jar]]></notes>
        <packageUrl regex="true">^pkg:maven/net\.sf\.jasperreports/jasperreports@.*$</packageUrl>
        <cve>CVE-2020-9410</cve>
    </suppress>

to your owasp suppression file.