CVE-2024-6097 in Telerik Reporting
Summary
by MITRE • 02/12/2025
In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/25/2025
The vulnerability identified as CVE-2024-6097 affects Progress Telerik Reporting versions prior to 2025 Q1, specifically those below version 19.0.25.211, presenting a critical information disclosure risk through absolute path traversal exploitation. This vulnerability resides within the reporting framework's handling of file paths and directory structures, creating an attack vector that allows local threat actors to access sensitive system information. The flaw manifests when the application processes absolute paths without proper validation or sanitization, potentially exposing internal system file structures, configuration files, and other sensitive data that should remain protected within the application's operational boundaries.
The technical implementation of this vulnerability stems from inadequate input validation mechanisms within the Telerik Reporting component's file access routines. When processing user-supplied or system-generated absolute paths, the software fails to properly sanitize or verify the legitimacy of these paths before attempting to access or reference them. This weakness creates a path traversal condition that can be exploited by attackers who have local access to the system to navigate beyond intended file access boundaries. The vulnerability operates at the file system level and can potentially reveal system directories, configuration files, database connection strings, and other sensitive information that may be stored in accessible locations. Attackers can leverage this flaw to gain insights into the underlying system architecture and potentially identify additional attack vectors or sensitive components within the application environment.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can provide attackers with critical reconnaissance data that facilitates more sophisticated attacks. Local threat actors who exploit this vulnerability can gather system information that may reveal the operating system version, installed software components, file system structure, and potentially sensitive configuration details. This information can be used to craft targeted attacks against other system components or to escalate privileges within the compromised environment. The vulnerability's local nature means that attackers must already have access to the system, but once exploited, it can provide significant intelligence that could lead to further compromise. The impact is particularly concerning for organizations that deploy Telerik Reporting in production environments where sensitive data processing occurs and where local access might be obtained through legitimate means such as employee access or compromised user accounts.
Organizations should implement immediate mitigations including upgrading to the patched version 19.0.25.211 or later of Progress Telerik Reporting to resolve this vulnerability. System administrators should also implement additional security controls such as restricting local system access to only authorized personnel, implementing proper file system permissions, and conducting regular security assessments to identify potential path traversal vulnerabilities in other components. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a significant risk under the ATT&CK framework's reconnaissance and privilege escalation tactics. Regular monitoring of system access logs and implementation of intrusion detection systems can help identify exploitation attempts. Organizations should also consider implementing application whitelisting controls and ensuring that all system components are regularly updated to prevent similar vulnerabilities from being exploited in the future.