CVE-2024-4358 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

Exploit added

June 13, 2024

Action due

July 4, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

References

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Weakness Enumeration

CWE-ID	CWE Name
CWE-290	Authentication Bypass by Spoofing

Known Affected Software Configurations

cpe:2.3:a:telerik:report_server_2024:-:::::::*
cpe:2.3:a:telerik:report_server_2024:10.0.24.130:::::::*
cpe:2.3:a:telerik:report_server_2024:10.0.24.305:::::::*

Details

Source:
NVD

Published:
May 29, 2024

Updated:
June 14, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined