Absolute Path Traversal Vulnerability (6097)
Description
Product Alert – February 2025 - CVE-2024-6097
- Telerik Reporting 2024 Q4 (18.3.24.1218) or earlier.
Issue
CWE-36: Absolute Path Traversal
What Are the Impacts
In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
Solution
We have addressed the issue and the Progress Telerik team recommends performing an upgrade to the version listed in the table below.
| Current Version | Guidance |
|---|---|
| 2024 Q4 (18.3.24.1218) or earlier | Update to 2025 Q1 (19.0.25.211) (update instructions) |
All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.
Notes
- This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
- To check your current version of Telerik Reporting, there are two primary options:
- If you’re using the REST service, you can visit the
/api/reports/version/endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version). - If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
- If you’re using the REST service, you can visit the
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
External References
CVE-2024-6097 (MEDIUM)
CVSS: 5.3
In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.