Arbitrary File Export (11629)
Description
Product Alert – February 2025 - CVE-2024-11629
- Progress® Telerik® Document Processing Libraries 2024 Q4 (2024.4.1106) or earlier.
Issue
CWE-552 Files or Directories Accessible to External Parties
What Are the Impacts
In Progress Telerik Document Processing Libraries, versions prior to 2025 Q1 (2025.1.2xx), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.
Solution
We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
| Current Version | Guidance |
|---|---|
| 2024 Q4 (2024.4.1106) or earlier | Update to 2025 Q1 (2025.1.2xx) (update instructions) |
All customers who have a Telerik license can access the downloads here Product Downloads | Your Account. Note, Telerik Document Processing is not a separate product, it is distributed with the primary product you are using. Therefore, we recommend upgrading the primary product to 2025 Q1 to automatically recieve the Document Processing improvements. More information can be found here: What Versions of Document Processing Libraries are Distributed with the Telerik Products.
Notes
- To check your version of Document Processing, look at the Properties of
Telerik.Documents.*.dll(orTelerik.Windows.Document.*.dll) files and inspect the Version value. - If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
External References
CVE-2024-11629 (HIGH)
CVSS: 7.1
In Progress Telerik Document Processing Libraries, versions prior to 2025 Q1 (2025.1.2xx), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.