Progress Telerik Report Server up to 10.2.24.806 hard-coded credentials
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in Progress Telerik Report Server. Impacted is an unknown function. This manipulation causes hard-coded credentials. This vulnerability is tracked as CVE-2024-7295. The attack is restricted to local execution. No exploit exists. You should upgrade the affected component.
Details
A vulnerability has been found in Progress Telerik Report Server and classified as problematic. Affected by this vulnerability is some unknown functionality. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. The CWE definition for the vulnerability is CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. As an impact it is known to affect confidentiality. The summary by CVE is:
In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information.
The advisory is shared at docs.telerik.com. This vulnerability is known as CVE-2024-7295 since 07/30/2024. The exploitation appears to be easy. An attack has to be approached locally. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1110.001 for this issue.
The vulnerability scanner Nessus provides a plugin with the ID 211469 (Progress Telerik Report Server <= 10.2.24.924 Encryption Weakness (CVE-2024-7295)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 10.3.24.1112 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (211469). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.5
VulDB Base Score: 3.3
VulDB Temp Score: 3.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.2
NVD Vector: 🔍
CNA Base Score: 7.1
CNA Vector (ProgressSoftware): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Hard-coded credentialsCWE: CWE-798 / CWE-259 / CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 211469
Nessus Name: Progress Telerik Report Server <= 10.2.24.924 Encryption Weakness (CVE-2024-7295)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Telerik Report Server 10.3.24.1112
Timeline
07/30/2024 🔍11/13/2024 🔍
11/13/2024 🔍
11/18/2024 🔍
Sources
Advisory: docs.telerik.comStatus: Confirmed
CVE: CVE-2024-7295 (🔍)
GCVE (CVE): GCVE-0-2024-7295
GCVE (VulDB): GCVE-100-284377
Entry
Created: 11/13/2024 17:57Updated: 11/18/2024 19:31
Changes: 11/13/2024 17:57 (64), 11/16/2024 03:31 (2), 11/18/2024 19:31 (12)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.