CRITICALšŸ‡µšŸ‡± Wersja polska

CVE-2024-6327

CVSS 9.9v3.1pub. 2024-07-24upd. 2024-11-21

In ProgressĀ® TelerikĀ® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.

šŸ¤– AI Analysis
How it works

The vulnerability results from unsafe deserialization of user-supplied data (CWE-502). An attacker with basic privilege level can send a specially crafted payload to a vulnerable application endpoint. During deserialization, the server processes malicious data without proper validation, leading to arbitrary code execution in the server context. The attack scope extends beyond the direct component (Scope: Changed), which increases the potential impact on the environment.

Impact

A successful attack allows the attacker to execute code remotely (RCE) on the server, which may lead to complete system takeover, sensitive data leakage, integrity violation, and service unavailability.

Mitigation & patch

Progress Telerik Report Server must be immediately updated to version 2024 Q2 (10.1.24.709) or later. Detailed information is available in the official vendor document at: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327

Who is affected

Progress Telerik Report Server in all versions prior to 2024 Q2 (10.1.24.709)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Progress Telerik Report Server

    APP
    Progress
    < 10.1.24.709
šŸ”µ
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2024-8015CRITICAL9.1PL āœ“ten sam produkt

RCE w Progress Telerik Report Server przez insecure type resolution

CVE-2024-1800CRITICAL9.9PL āœ“ten sam produkt

RCE przez insecure deserialization w Progress Telerik Report Server

CVE-2025-0556HIGH8.8ten sam produkt

In ProgressĀ® TelerikĀ® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framewo...

CVE-2024-7295HIGH7.1ten sam produkt

In ProgressĀ® TelerikĀ® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset da...

CVE-2024-7292HIGH7.5ten sam produkt

In ProgressĀ® TelerikĀ® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is p...

CVE-2024-6327 — Progress — Telerik Report Server — CRITICAL — CVSS 9.9 | CVEbaza.pl