CVE-2024-4358 (GCVE-0-2024-4358)
Vulnerability from cvelistv5 – Published: 2024-05-29 14:51 – Updated: 2025-10-21 23:05
VLAI?
CISA
Summary
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Telerik Report Server |
Affected:
1.0.0 , < 10.1.24.514
(semver)
|
Credits
Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
CISA Known Exploited Vulnerability
Data from the CISA Known Exploited Vulnerabilities Catalog
Date added: 2024-06-13
Due date: 2024-07-04
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Used in ransomware: Unknown
Notes: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358; https://nvd.nist.gov/vuln/detail/CVE-2024-4358
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "telerik_report_server",
"vendor": "progress_software",
"versions": [
{
"lessThan": "10.1.24.514",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4358",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-14T13:56:10.408308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-06-13",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:17.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-13T00:00:00+00:00",
"value": "CVE-2024-4358 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:46.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Telerik Report Server",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "10.1.24.514",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
}
],
"datePublic": "2024-05-29T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
}
],
"value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T14:51:21.612Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Registration Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-4358",
"datePublished": "2024-05-29T14:51:21.612Z",
"dateReserved": "2024-04-30T17:34:38.695Z",
"dateUpdated": "2025-10-21T23:05:17.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2024-4358",
"cwes": "[\"CWE-290\"]",
"dateAdded": "2024-06-13",
"dueDate": "2024-07-04",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358; https://nvd.nist.gov/vuln/detail/CVE-2024-4358",
"product": "Telerik Report Server",
"requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.",
"vendorProject": "Progress",
"vulnerabilityName": "Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability"
},
"fkie_nvd": {
"cisaActionDue": "2024-07-04",
"cisaExploitAdd": "2024-06-13",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:telerik:report_server_2024:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"10.0.24.305\", \"matchCriteriaId\": \"4DAE2DE9-B18F-40F5-AFFB-2E85D34BAA18\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\"}, {\"lang\": \"es\", \"value\": \"En Progress Telerik Report Server, versi\\u00f3n 2024 Q1 (10.0.24.305) o anterior, en IIS, un atacante no autenticado puede obtener acceso a la funcionalidad restringida de Telerik Report Server a trav\\u00e9s de una vulnerabilidad de omisi\\u00f3n de autenticaci\\u00f3n.\"}]",
"id": "CVE-2024-4358",
"lastModified": "2024-11-21T09:42:41.593",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2024-05-29T15:16:06.477",
"references": "[{\"url\": \"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\", \"source\": \"security@progress.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security@progress.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": "[{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-4358\",\"sourceIdentifier\":\"security@progress.com\",\"published\":\"2024-05-29T15:16:06.477\",\"lastModified\":\"2025-10-31T21:57:12.057\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\"},{\"lang\":\"es\",\"value\":\"En Progress Telerik Report Server, versi\u00f3n 2024 Q1 (10.0.24.305) o anterior, en IIS, un atacante no autenticado puede obtener acceso a la funcionalidad restringida de Telerik Report Server a trav\u00e9s de una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2024-06-13\",\"cisaActionDue\":\"2024-07-04\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability\",\"weaknesses\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:telerik:report_server_2024:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.0.24.305\",\"matchCriteriaId\":\"4DAE2DE9-B18F-40F5-AFFB-2E85D34BAA18\"}]}]}],\"references\":[{\"url\":\"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\",\"source\":\"security@progress.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"platforms\": [\"Windows\"], \"product\": \"Telerik Report Server\", \"vendor\": \"Progress Software Corporation\", \"versions\": [{\"lessThan\": \"10.1.24.514\", \"status\": \"affected\", \"version\": \"1.0.0\", \"versionType\": \"semver\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative\"}], \"datePublic\": \"2024-05-29T14:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\"}], \"value\": \"In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"shortName\": \"ProgressSoftware\", \"dateUpdated\": \"2024-05-29T14:51:21.612Z\"}, \"references\": [{\"url\": \"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Registration Authentication Bypass Vulnerability\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:40:46.999Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358\", \"tags\": [\"x_transferred\"]}]}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4358\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-14T13:56:10.408308Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2024-06-13\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"progress_software\", \"product\": \"telerik_report_server\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0.0\", \"lessThan\": \"10.1.24.514\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-30T15:45:02.281Z\"}, \"timeline\": [{\"time\": \"2024-06-13T00:00:00+00:00\", \"lang\": \"en\", \"value\": \"CVE-2024-4358 added to CISA KEV\"}], \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-4358\", \"assignerOrgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"ProgressSoftware\", \"dateReserved\": \"2024-04-30T17:34:38.695Z\", \"datePublished\": \"2024-05-29T14:51:21.612Z\", \"dateUpdated\": \"2025-07-28T19:43:14.331Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…