Insecure Instantiation Vulnerability
Description
Product Alert – May 2024 - CVE-2024-4202
- Telerik Reporting 2024 Q1 (18.0.24.305) or earlier.
Issue
CWE-94: Improper Control of Generation of Code ('Code Injection')
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability.
What Are the Impacts
Local code execution can occur when the Telerik Reporting engine loads a custom assembly as part of the communication workflow between desktop report viewers (WinForms, WPF, WinUI) and a remote Reporting engine.
Solution
Updating to at least version Reporting 2024 Q2 (18.1.24.514) is the only way to remove this vulnerability. We have addressed the vulnerability and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
| Current Version | Guidance |
|---|---|
| 18.0.24.305 (or earlier) | Update to 18.1.24.514 (update instructions) |
All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.
Notes
- This vulnerability takes effect only when replacing one or more Telerik Reporting assemblies with custom assemblies containing malicious code. In general, you should never replace Telerik Reporting assemblies with assemblies obtained from sources with unknown origins.
- To check your current version of Telerik Reporting, there are two primary options:
- If you’re using the REST service, you can visit the
/api/reports/version/endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version). - If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
- If you’re using the REST service, you can visit the
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
External References
CVE-2024-4202 (HIGH)
CVSS: 7.7
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability.