CVE-2024-4358

Warning

EPSS 94.34%
Published 29.05.2024 15:16:06
Last modified 27.01.2025 21:43:05
Source security@progress.com
Teams watchlist Login
Open Login

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

Affected products Warnungen 1 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Telerik ≫ Report Server 2024 Version <= 10.0.24.305

13.06.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability

Vulnerability

Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.

Description

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.34%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@progress.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-4358

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4358

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4358

EUVD