Jasper version: 6.4.3
Server version: Apache Tomcat/8.5.24
Our internal security Team identified a Vulnerability on Jasper(Spectrum) Tomcat "Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)".
Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)
" Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
HTTP Request Smuggling vulnerability exists if Apache Tomcat is located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner.
Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
QID Detection Logic:
The QID checks for vulnerable version by sending a GET /QUALYS13812 HTTP/1.0 request which helps in retrieving the installed version of Apache Tomcat in the banner of the response."
Exploitation of the vulnerability could lead to HTTP request smuggling.
Release : 10.4
Component : OneClick Report Manager / Jaspersoft / CABI
Export the data
Install Jasper with custom Tomcat Version
You can follow the steps given in below link
In Step 8
choose custom install
if a different version of Apache Tomcat is required, select Custom Install. In subsequent steps, the location and/or connection information about one or both of these pre-installed components must be provided. If a custom install is preferred, select Custom Install, then click Next (skip to section Custom Installation below to continue).
Import the Data