CVE-2024-11629

High

Published: 12 February 2025

Published

12 February 2025

Modified

19 February 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS Score 0.0076 73.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.

Security Summary

CVE-2024-11629 is a vulnerability in Progress Telerik Document Processing Libraries, specifically versions prior to 2025 Q1 (2025.1.205) that use .NET Standard 2.0. It enables the export of contents from a file at an arbitrary path into RTF format, classified under CWE-552 (Files or Directories Accessible to External Parties). The issue was published on 2025-02-12 and carries a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows reading the contents of arbitrary files by exporting them to RTF, resulting in high confidentiality impact (C:H) through unauthorized data disclosure, minor availability impact (A:L), and no integrity impact (I:N).

The official Telerik advisory provides details on mitigation in their knowledge base article at https://docs.telerik.com/devtools/document-processing/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629. Upgrading to version 2025.1.205 or later resolves the issue in affected libraries.

Details

CWE(s): CWE-552

Affected Products

progress

telerik document processing libraries

≤ 2025.1.205

References

https://docs.telerik.com/devtools/document-processing/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629
Vendor Advisory · security@progress.com