Telerik
/
reporting-docs
зеркало из https://github.com/telerik/reporting-docs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
reporting-docs/knowledge-base/insecure-expression-evaluat...

2.5 KiB
Исходник Ответственный История

title description slug res_type
Insecure Expression Evaluation Vulnerability How to mitigate CVE-2024-8048, an insecure expression evaluation vulnerability in the standalone Report Designer. insecure-expression-evaluation-cve-2024-8048 kb

Description

Product Alert – September 2024 - CVE-2024-8048

  • Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.

Issue

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

What Are the Impacts

In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer.

Solution

We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.

Current Version Guidance
2024 Q3 (18.2.24.806) or earlier Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%})))

All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.

Notes

  • This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
  • To check your current version of Telerik Reporting, there are two primary options:
    • If youre using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
    • If youre only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
  • We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.

External References

CVE-2024-8048 (HIGH)

CVSS: 7.8

In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.

Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.