Progress Software program is urging customers to replace their Telerik Report Server situations following the invention of a vital security flaw that would lead to distant code execution.
The vulnerability, tracked as CVE-2024-6327 (CVSS rating: 9.9), impacts Report Server model 2024 Q2 (10.1.24.514) and earlier.
“In Progress Telerik Report Server variations previous to 2024 Q2 (10.1.24.709), a distant code execution assault is feasible via an insecure deserialization vulnerability,” the corporate mentioned in an advisory.
Deserialization flaws happen when an software reconstructs untrusted knowledge that an attacker has management over with out ample validation in place, ensuing within the execution of unauthorized instructions.
Progress Software program mentioned the flaw has been addressed in model 10.1.24.709. As momentary mitigation, it is beneficial to alter the person for the Report Server Software Pool to at least one with restricted permission.
Directors can examine if their servers are susceptible to assaults by going via these steps –
- Go to the Report Server internet UI and log in utilizing an account with administrator rights
- Open the Configuration web page (~/Configuration/Index).
- Choose the About tab and the model quantity might be displayed within the pane on the best.
The disclosure comes practically two months after the corporate patched one other vital shortcoming in the identical software program (CVE-2024-4358, CVSS rating: 9.8) that may very well be abused by a distant attacker to bypass authentication and create rogue administrator customers.
