Improper Restriction of XML External Enitities
Description
- Telerik Report Server 2024 Q1 (10.0.24.305) and earlier.
Issue
CWE-611 Improper Restriction of XML External Entity Reference
Progress® Telerik® Report Server, versions prior to 2024 Q2 (10.1.24.514), use .NET Framework 4.5.1. That version of .NET Framework contains an XXE vulnerability that was inhertied by Report Server.
What Are the Impacts
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, which allows low-privilege attacker to read systems file via XML External Entity Processing.
Solution
Updating to at least version Report Server 2024 Q2 (10.1.24.514) and later are built on top of .NET Framework 4.6.2 and is no longer vulnerable to this XXE flaw.
| Current Version | Guidance |
|---|---|
| 10.0.24.305 (or earlier) | Update to 10.1.24.514 (update instructions) |
All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.
Notes
- To check your current version of Report Server, open Configuration page (host/Configuration/Index) > select "About" > view "Build version"
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
External References
CVE-2024-4357 (MEDIUM)
CVSS: 6.5
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.
Credit: "Sina Kheirkhah of Summoning Team working with Trend Micro Zero Day Initiative"