CVE-2024-0832

In Telerik Reporting versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component. In an environment where an existing Telerik Reporting install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.telerik.com/reporting/knowledge-base/legacy-installer-vulnerability	Vendor Advisory
https://www.telerik.com/products/reporting.aspx	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*

History

09 Feb 2024, 17:12

Type	Values Removed	Values Added
CPE		cpe:2.3:a:progress:telerik_reporting::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		NVD-CWE-noinfo
References	~~() https://docs.telerik.com/reporting/knowledge-base/legacy-installer-vulnerability -~~	() https://docs.telerik.com/reporting/knowledge-base/legacy-installer-vulnerability - Vendor Advisory
References	~~() https://www.telerik.com/products/reporting.aspx -~~	() https://www.telerik.com/products/reporting.aspx - Product
First Time		Progress Progress telerik Reporting

31 Jan 2024, 17:15

Type	Values Removed	Values Added
References	~~{'url': 'https://www.telerik.com/devcraft', 'name': 'https://www.telerik.com/devcraft', 'tags': [], 'refsource': ''}~~	() https://www.telerik.com/products/reporting.aspx -

31 Jan 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-31 16:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-0832

Mitre link : CVE-2024-0832

CVE.ORG link : CVE-2024-0832

JSON object : View

Products Affected

progress

telerik_reporting

CWE

NVD-CWE-noinfo CWE-269

Improper Privilege Management

{"id": "CVE-2024-0832", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}]}, "published": "2024-01-31T16:15:46.287", "references": [{"url": "https://docs.telerik.com/reporting/knowledge-base/legacy-installer-vulnerability", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.telerik.com/products/reporting.aspx", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "In Telerik Reporting versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.\u00a0 In an environment where an existing Telerik Reporting install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system."}, {"lang": "es", "value": "En las versiones de Telerik Reporting anteriores a 2024 R1, se identific\u00f3 una vulnerabilidad de elevaci\u00f3n de privilegios en el componente del instalador de aplicaciones. En un entorno donde existe una instalaci\u00f3n de Telerik Reporting, un usuario con privilegios bajos tiene la capacidad de manipular el paquete de instalaci\u00f3n para elevar sus privilegios en el sistema operativo subyacente."}], "lastModified": "2024-02-09T17:12:45.853", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99094F38-B499-494D-B452-9998934D4E19", "versionEndExcluding": "18.0.24.130"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}