CVE-2019-18935
Vulnerability from cvelistv5
Published
2019-12-11 00:00
Modified
2025-02-04 20:04
Severity ?
EPSS score ?
Summary
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:02:40.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.telerik.com/support/whats-new/release-history"
},
{
"tags": [
"x_transferred"
],
"url": "https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/bao7uo/RAU_crypto"
},
{
"tags": [
"x_transferred"
],
"url": "https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/noperator/CVE-2019-18935"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2019-18935",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T20:02:54.779183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2021-11-03",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-18935"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T20:04:50.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-15T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.telerik.com/support/whats-new/release-history"
},
{
"url": "https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html"
},
{
"url": "https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization"
},
{
"url": "https://github.com/bao7uo/RAU_crypto"
},
{
"url": "https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui"
},
{
"url": "https://github.com/noperator/CVE-2019-18935"
},
{
"url": "http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html"
},
{
"url": "https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29"
},
{
"url": "http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html"
},
{
"url": "https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18935",
"datePublished": "2019-12-11T00:00:00.000Z",
"dateReserved": "2019-11-13T00:00:00.000Z",
"dateUpdated": "2025-02-04T20:04:50.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2019-18935\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-12-11T13:15:11.767\",\"lastModified\":\"2025-03-14T17:38:23.560\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\"},{\"lang\":\"es\",\"value\":\"Progress Telerik UI para ASP.NET AJAX hasta 2019.3.1023 contiene una vulnerabilidad de deserializaci\u00f3n de .NET en la funci\u00f3n RadAsyncUpload. Esto es explotable cuando las claves de cifrado se conocen debido a la presencia de CVE-2017-11317 o CVE-2017-11357, u otros medios. La explotaci\u00f3n puede resultar en la ejecuci\u00f3n remota de c\u00f3digo. (A partir de 2020.1.114, una configuraci\u00f3n predeterminada evita la explotaci\u00f3n. En 2019.3.1023, pero no en versiones anteriores, una configuraci\u00f3n no predeterminada puede evitar la explotaci\u00f3n).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2021-11-03\",\"cisaActionDue\":\"2022-05-03\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2011.1.315\",\"versionEndIncluding\":\"2020.1.114\",\"matchCriteriaId\":\"4830E2C4-2481-466D-B46F-8562D226CC41\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/bao7uo/RAU_crypto\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/noperator/CVE-2019-18935\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.telerik.com/support/whats-new/release-history\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/bao7uo/RAU_crypto\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/noperator/CVE-2019-18935\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-r1-2020-%28version-2020-1-114%29\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.telerik.com/support/whats-new/release-history\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.