Insecure Deserialization Vulnerability in Telerik UI for WPF
CVE-2024-10095

9.8CRITICAL

Key Information:

Vendor
Progress Software
Status
Telerik Ui For WPf
Vendor
CVE Published:
16 December 2024

Badges

📈 Score: 854📰 News Worthy

What is CVE-2024-10095?

CVE-2024-10095 is a significant vulnerability found in Progress Software's Telerik UI for WPF, a framework widely used for developing rich desktop applications in .NET environments. This vulnerability allows for insecure deserialization, which can be exploited by malicious actors to execute arbitrary code remotely. If an organization utilizes this software without applying the necessary updates, it faces serious risks concerning data integrity and system security, potentially leading to unauthorized access and significant operational disruptions.

Technical Details

The vulnerability is categorized as an insecure deserialization flaw, which manifests in versions of Telerik UI for WPF released prior to the 2024 Q4 update (2024.4.1213). Insecure deserialization issues occur when untrusted input is processed in an insecure manner, allowing an attacker to manipulate how an application processes serialized data. This can lead to various attacks, including remote code execution, if exploited successfully. The specific technical mechanisms and pathways for exploitation have not been detailed but are centered around the unsafe handling of data deserialization within the affected framework.

Potential impact of CVE-2024-10095

  1. Remote Code Execution: The most significant impact of this vulnerability is the potential for attackers to execute arbitrary code on vulnerable systems, which can lead to full system compromise and control over the application environment.

  2. Data Breach Risk: Exploitation of this vulnerability can result in unauthorized access to sensitive data, thereby increasing the risk of data breaches. Organizations storing confidential information could face severe regulatory and reputational consequences.

  3. Operational Disruption: If exploited, this vulnerability may disrupt business operations, as compromised applications can be rendered inoperative or manipulated to perform unauthorized actions, posing risks to service availability and reliability.

Affected Version(s)

Telerik UI for WPF Windows 0 < 2024.4.1213

News Articles

favicon imageTelerik.com

Unsafe Deserialization Vulnerability CVE-2024-10095 - Telerik UI for WPF

How to mitigate CVE-2024-10095, an unsafe deserialization vulnerability.

References

https://docs.telerik.com/devtools/wpf/knowledge-base/kb-s...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Telerik.com

  • Vulnerability published

  • Vulnerability Reserved

.