Insecure Expression Evaluation Vulnerability
Description
Product Alert – September 2024 - CVE-2024-8048
- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
Issue
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
What Are the Impacts
In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer.
Solution
We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
| Current Version | Guidance |
|---|---|
| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) (update instructions) |
All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.
Notes
- This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
- To check your current version of Telerik Reporting, there are two primary options:
- If you’re using the REST service, you can visit the
/api/reports/version/endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version). - If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
- If you’re using the REST service, you can visit the
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
External References
CVE-2024-8048 (HIGH)
CVSS: 7.8
In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.
Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.