Lucene search

ProgressSoftwareVULNRICHMENT:CVE-2024-4357

HistoryMay 15, 2024 - 4:58 p.m.

CVE-2024-4357 XML External Entity Processing Information Disclosure

2024-05-1516:58:31

CWE-611

ProgressSoftware

github.com

cve-2024-4357

information disclosure

progress telerik report server

xml external entity processing

systems file read

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.0%

JSON

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Telerik Report Server",
    "vendor": "Progress Software",
    "versions": [
      {
        "lessThan": "10.0.24.514",
        "status": "affected",
        "version": "1.0.0.0",
        "versionType": "semver"
      }
    ]
  }
]

References

docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.0%

JSON

Related for VULNRICHMENT:CVE-2024-4357