CVE-2017-11357
Published: 23 August 2017
Summary
CVE-2017-11357 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Progress Telerik Ui For Asp.Net Ajax. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 contains an unrestricted file upload vulnerability in the RadAsyncUpload component. The component fails to properly validate or restrict user-supplied input, enabling attackers to supply arbitrary files. This issue is tracked as CWE-434 and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.
Remote attackers can send crafted requests directly to the RadAsyncUpload handler to upload malicious files to the server or achieve arbitrary code execution without authentication or user interaction. Successful exploitation grants full control over the affected web application and underlying host.
Telerik advisory documentation describes the root cause as an insecure direct object reference in the upload control and states that the issue is resolved in R2 2017 SP2. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and public exploit code has been published on Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-2986
Vulnerability details
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
- CWE(s)
- KEV Date Added
- 26 January 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied input to the RadAsyncUpload component, blocking the arbitrary file uploads that enable code execution in this CVE.
Mandates malicious-code scanning and blocking mechanisms that would inspect and reject the dangerous files uploaded via the vulnerable handler.
Requires disabling or restricting non-essential upload functionality and features in the Telerik component until proper file-type and content restrictions are enforced.