New to Telerik Report Server? Download free 30-day trial

Improper Restriction of XML External Enitities

Description

CVE-2024-4357

  • Telerik Report Server 2024 Q1 (10.0.24.305) and earlier.

Issue

CWE-611 Improper Restriction of XML External Entity Reference

Progress® Telerik® Report Server, versions prior to 2024 Q2 (10.1.24.514), use .NET Framework 4.5.1. That version of .NET Framework contains an XXE vulnerability that was inhertied by Report Server.

What Are the Impacts

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, which allows low-privilege attacker to read systems file via XML External Entity Processing.

Solution

Updating to at least version Report Server 2024 Q2 (10.1.24.514) and later are built on top of .NET Framework 4.6.2 and is no longer vulnerable to this XXE flaw.

Current Version Guidance
10.0.24.305 (or earlier) Update to 10.1.24.514 (update instructions)

All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.

Notes

  • To check your current version of Report Server, open Configuration page (host/Configuration/Index) > select "About" > view "Build version"
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

External References

CVE-2024-4357 (MEDIUM)

CVSS: 6.5

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.

Credit: "Sina Kheirkhah of Summoning Team working with Trend Micro Zero Day Initiative"

In this article