Insecure Type Resolution Vulnerability
Description
Product Alert ��– September 2024 - CVE-2024-8014
- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
Issue
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
What Are the Impacts
In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, a code execution attack is possible through an insecure type resolution vulnerability.
Solution
We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
| Current Version | Guidance |
|---|---|
| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) (update instructions) |
All customers who have a Telerik Reporting license can access the downloads here Product Downloads | Your Account.
Notes
- To check your current version of Telerik Reporting, there are two primary options:
- If you’re using the REST service, you can visit the
/api/reports/version/endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version). - If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.
- If you’re using the REST service, you can visit the
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
External References
CVE-2024-8014 (HIGH)
CVSS: 8.8
In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
Discoverer Credit: Markus Wulftange with CODE WHITE GmbH