Telerik
/
reporting-docs
зеркало из https://github.com/telerik/reporting-docs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
reporting-docs/knowledge-base/insecure-expression-evaluat...

49 строки
2.5 KiB
Markdown
Исходник Ответственный История

Этот файл содержит неоднозначные символы Юникода!

Этот файл содержит неоднозначные символы Юникода, которые могут быть перепутаны с другими в текущей локали. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы подсветить эти символы.

---
title: Insecure Expression Evaluation Vulnerability
description: "How to mitigate CVE-2024-8048, an insecure expression evaluation vulnerability in the standalone Report Designer."
slug: insecure-expression-evaluation-cve-2024-8048
res_type: kb
---
## Description
Product Alert – September 2024 - [CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048)
- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
## Issue
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
### What Are the Impacts
In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer.
## Solution
We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
| Current Version | Guidance |
|-----------------|----------|
| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%}))) |
All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPORTING).
## Notes
- This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
- To check your current version of Telerik Reporting, there are two primary options:
+ If youre using the REST service, you can visit the `/api/reports/version/` endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
+ If youre only using the desktop tooling, check **PC Settings** > **Installed Apps** > expand **Telerik Reporting** item for details.
- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
## External References
[CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048) (HIGH)
**CVSS:** 7.8
In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.
Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку