New to Telerik Report Server? Download free 30-day trial

Trust Boundary Violation Vulnerability

Description

May 2024 - CVE-2024-4837

  • Telerik Report Server 2024 Q1 (10.0.24.305) and earlier.

Issue

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability.

What Are the Impacts

These storage settings are, by default, not be available outside of the environment where Report Server is. An attacker who may view the setting's value, they would not typically have access to it.

However, if the server was misconfigured to use an external option, and included plain text credentials in the value, the attacker can interfere with the Report Server's operation by corrupting those settings. Note that this storage option is only for application options, is not the same as a Data Connection used for reports' data sources.

Solution

Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

Current Version Guidance
2024 Q1 (10.0.24.305) Update to 2024 Q2 (10.1.24.514) (update instructions)

Notes

  • All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

External References

CVE-2024-4837

CVSS: 5.3

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability.

Credit: "Christian Kuersteiner (Greenbone AG) via BugCrowd"

In this article