In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
The access protection mechanism in Telerik Report Server running on an IIS server can be bypassed by an unauthenticated attacker (CWE-290 – Authentication Bypass by Spoofing). A network attacker does not need any privileges or user interaction to exploit this vulnerability. As a result, it is possible to gain access to functionality reserved only for authenticated users.
An attacker can gain unauthorized access to protected functionality of Telerik Report Server, which may lead to violation of confidentiality, integrity, and availability of data and services managed by the reporting server.
Telerik Report Server should be updated as soon as possible to a version newer than 2024 Q1 (10.0.24.305), applying patches available from the vendor. Detailed instructions are available in the vendor's documentation at the address indicated in the references (knowledge-base/registration-auth-bypass-cve-2024-4358). Until the update is deployed, it is recommended to restrict network access to the Telerik Report Server instance only to trusted IP addresses.
Progress Telerik Report Server version 2024 Q1 (10.0.24.305) and earlier, running on an IIS server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTelerik Report Server 2024
APPTelerik≤ 10.0.24.305
CISA KEV — detailsi
- Vendori
- Progress ↗
- Producti
- Telerik Report Server
- Added to KEVi
- June 13, 2024
- Remediation deadline (US Federal)i
- July 4, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Related vulnerabilities
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the ...
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadA...
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412....
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image...
In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible th...