Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

July 26, 2024 at 01:13AM

Progress Software has identified a critical security flaw (CVE-2024-6327) in Telerik Report Server versions prior to 2024 Q2 (10.1.24.709) that could lead to remote code execution due to an insecure deserialization vulnerability. Users are advised to update to version 10.1.24.709 and take temporary mitigation measures. Another vulnerability (CVE-2024-4358) was patched earlier.

Key takeways from the meeting notes:

– Progress Software has issued an advisory urging users to update their Telerik Report Server instances due to the discovery of a critical security flaw (CVE-2024-6327) that could lead to remote code execution. The vulnerability affects Report Server version 2024 Q2 (10.1.24.514) and earlier.
– The company has addressed the flaw in version 10.1.24.709 and recommends changing the user for the Report Server Application Pool to one with limited permissions as a temporary mitigation.
– Administrators can check if their servers are vulnerable to attacks by following specific steps outlined by Progress Software.
– This disclosure follows the patching of another critical vulnerability (CVE-2024-4358) in the same software nearly two months ago, which could be exploited by a remote attacker to bypass authentication and create rogue administrator users.

These notes highlight the urgency for users to update their Telerik Report Server instances to mitigate the security risks posed by these vulnerabilities.

Full Article