CVE-2019-18935

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

References

http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html

http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html

https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html

https://github.com/bao7uo/RAU_crypto

https://github.com/noperator/CVE-2019-18935

https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui

https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-(version-2020-1-114)

https://www.telerik.com/support/whats-new/release-history

Details

Source: MITRE

Published: 2019-12-11

Updated: 2020-10-20

Type: CWE-502

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*

Tenable Plugins

View all (2 total)

IDNameProductFamilySeverity
112521Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization VulnerabilityWeb Application ScanningComponent Vulnerability
critical
135970Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization VulnerabilityNessusWindows
critical