New to Telerik Reporting? Download free 30-day trial

Insecure Deserialization Vulnerability

Description

  • Telerik Reporting 2024 Q1 (18.0.24.130) and older.

Root Cause

In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible through an insecure deserialization vulnerability. In the case of CVE-2024-1856, this may also be possible to leverage remotely in a special set of circumstances in a misconfigured web application.

Solution

Updating to at least version Reporting 2024 Q1 (18.0.24.305) is the only way to remove this vulnerability. Please visit the upgrade documentation Upgrade Overview - Telerik Reporting and follow the instructions for the version you are upgrading from.

Notes

  • We would like to thank 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative for their responsible disclosure and cooperation.
  • To check your current version of Telerik Reporting, there are two primary options:
    • If you’re using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
    • If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
  • Our customers’ security is of the utmost importance to us. If you have any questions, concerns, or problems related to this issue, you can open a new Technical Support case (Technical Support is available to customers with an active Support subscription).

External References

  • CVE-2024-1801 (HIGH)

    CVSS: 7.7

    In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.

    Discoverer Credit: HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative

  • CVE-2024-1856 (HIGH)

    CVSS: 8.5

    In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.

    Discoverer Credit: HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative

In this article
Related articles
Not finding the help you need? Improve this article