9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.179 Low
EPSS
Percentile
96.0%
The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.
CWE-326: Inadequate Encryption Strength - CVE-2017-9248
The Telerik.Web.UI.dll
is vulnerable to a cryptographic weakness which allows the attacker to extract the Telerik.Web.UI.DialogParametersEncryptionKey
and/or the MachineKey
.
Versions R2 2017 (2017.2.503) and prior are vulnerable.
A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey
, or compromise the ASP.NET ViewState.
Software vendors who use Telerik web components may also be impacted.
Apply an update
Please see the Telerik’s support article for update information for specific versions.
The support article also provides information to those who are unable to update their software.
838200
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: July 18, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 19, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 7.5 | E:ND/RL:ND/RC:ND |
Environmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Telerik thanks to Erlend Leiknes, security consultant in Mnemonic AS, and Thanh Van Tien Nguyen for reporting this vulnerability.
This document was written by Trent Novelly.
CVE IDs: | CVE-2017-9248 |
---|---|
Date Public: | 2017-06-26 Date First Published: |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.179 Low
EPSS
Percentile
96.0%