Unsafe Deserialization Vulnerability

Description

Product Alert – May 2024 - CVE-2024-4200

• Telerik Reporting 2024 Q1 (18.0.24.305) or earlier.

Issue

CWE-502: Deserialization of Untrusted Data

In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure deserialization vulnerability.

What Are the Impacts

Local code execution can occur when the Telerik Reporting engine deserializes untrusted localization assets.

Solution

Updating to at least version Reporting 2024 Q2 (18.1.24.514) is the only way to remove this vulnerability. We have addressed the vulnerability and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.

Notes

• This vulnerability takes effect only when replacing one or more Telerik Reporting assets with a custom one containing malicious code. In general, you should never replace localization assets from sources of unknown origin.
• To check your current version of Telerik Reporting, there are two primary options:
  • If you’re using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
  • If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
• If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

External References

CVE-2024-4200 (HIGH)

CVSS: 7.7

In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure deserialization vulnerability