New to Telerik Reporting? Download free 30-day trial

Insecure Expression Evaluation Vulnerability

Description

Product Alert – September 2024 - CVE-2024-8048

  • Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.

Issue

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

What Are the Impacts

In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer.

Solution

We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.

Current Version Guidance
2024 Q3 (18.2.24.806) or earlier Update to 2024 Q3 (18.2.24.924) (update instructions)

All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.

Notes

  • This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
  • To check your current version of Telerik Reporting, there are two primary options:
    • If you’re using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
    • If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
  • We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.

External References

CVE-2024-8048 (HIGH)

CVSS: 7.8

In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.

Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.

In this article