New to Telerik Reporting? Download free 30-day trial

Object Injection Vulnerability

Description

Product Alert - July 2024 - CVE-2024-6096

  • Telerik Reporting 2024 Q2 (18.1.24.514) and older.

Root Cause

In Progress® Telerik® Reporting versions prior to 18.1.24.709, an object injection attack is possible through an insecure type resolution vulnerability.

Solution

Updating to at least version Reporting 2024 Q2 (18.1.24.709) is the only way to remove this vulnerability. Please visit the upgrade documentation Upgrade Overview - Telerik Reporting and follow the instructions for the version you are upgrading from.

Notes

  • Our customers’ security is of the utmost importance to us. If you have any questions, concerns, or problems related to this issue, you can open a new Technical Support case (Technical Support is available to customers with an active Support subscription).
  • We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
  • To check your current version of Telerik Reporting, there are two primary options:
    • If you’re using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
    • If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.

External References

  • CVE-2024-6096 (HIGH)

    CVSS: 8.8

    In Progress® Telerik® Reporting versions prior to 18.1.24.709, an object injection attack is possible through an insecure type resolution vulnerability.

    Discoverer Credit: Markus Wulftange with CODE WHITE GmbH

In this article