CVE-2011-1911 - Vulnerability Details - OpenCVE

JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jasperforge	Jasperreports Server Community Project

Configuration 1 [-]

OR	cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.0:::::::*
	cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.1:::::::*

No data.

References

Link	Providers
http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html
http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf
http://www.kb.cert.org/vuls/id/519588
http://www.kb.cert.org/vuls/id/MAPG-8ELLJC
http://www.securityfocus.com/bid/49649
https://exchange.xforce.ibmcloud.com/vulnerabilities/69849

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2011-09-20T10:00:00

Updated: 2024-08-06T22:45:59.974Z

Reserved: 2011-05-09T00:00:00

Link: CVE-2011-1911

Vulnrichment

No data.

NVD

Status : Modified

Published: 2011-09-20T10:55:03.920

Modified: 2024-11-21T01:27:18.050

Link: CVE-2011-1911

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-09-15T00:00:00", "descriptions": [{"lang": "en", "value": "JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf"}, {"tags": ["x_refsource_MISC"], "url": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html"}, {"name": "jasperreports-flowexecutionkey-csrf(69849)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69849"}, {"name": "VU#519588", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/519588"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC"}, {"name": "49649", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/49649"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2011-1911", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf", "refsource": "MISC", "url": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf"}, {"name": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html", "refsource": "MISC", "url": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html"}, {"name": "jasperreports-flowexecutionkey-csrf(69849)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69849"}, {"name": "VU#519588", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/519588"}, {"name": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC", "refsource": "CONFIRM", "url": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC"}, {"name": "49649", "refsource": "BID", "url": "http://www.securityfocus.com/bid/49649"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T22:45:59.974Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html"}, {"name": "jasperreports-flowexecutionkey-csrf(69849)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69849"}, {"name": "VU#519588", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/519588"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC"}, {"name": "49649", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/49649"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2011-1911", "datePublished": "2011-09-20T10:00:00", "dateReserved": "2011-05-09T00:00:00", "dateUpdated": "2024-08-06T22:45:59.974Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "ABBE8E6D-B779-43D9-A480-611AE29D0EE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jasperforge:jasperreports_server_community_project:3.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "0FC7D494-4E39-42F9-9722-0E77D26FAF08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JasperServer in JasperReports Server Community Project 3.7.0 and 3.7.1 uses a predictable _flowExecutionKey parameter, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a brute-force approach."}, {"lang": "es", "value": "JasperServer en JasperReports Server Community Project v3.7.0 y v3.7.1 utiliza un par\u00e1metro _flowExecutionKey predecible, lo que hace m\u00e1s f\u00e1cil para los atacantes remotos realizar solicitud de cross-site falsificaci\u00f3n (CSRF) para atacar a trav\u00e9s de un enfoque de fuerza bruta."}], "id": "CVE-2011-1911", "lastModified": "2024-11-21T01:27:18.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-09-20T10:55:03.920", "references": [{"source": "cret@cert.org", "url": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html"}, {"source": "cret@cert.org", "url": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf"}, {"source": "cret@cert.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/519588"}, {"source": "cret@cert.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/bid/49649"}, {"source": "cret@cert.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69849"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.csirtcv.gva.es/es/alertas/vulnerabilidad-en-jasperserver.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.csirtcv.gva.es/sites/all/files/images/content/%5BCSIRT-cv%5D%20JasperServer%203.7.0%20CE%20CSRF%20Advisory.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/519588"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/MAPG-8ELLJC"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/49649"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69849"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}