Telerik RadAsyncUpload Arbitrary File Upload and RCE Vulnerabilities (CVE-2014-2217/CVE-2017-11317) Advisory

### Unrestricted File Upload in RadAsyncUpload #### Problem Security vulnerabilities CVE-2014-2217 and CVE-2017-11317: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload. #### Description An exploit can result in arbitrary file uploads and/or remote code execution. #### Solutions Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2014-2217 and CVE-2017-11317 do not prevent it. #### Depreciated Solutions - **Introduction** and mitigation paths for all versions. - **Instructions** for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027). - **Instructions** for versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621). - **Instructions** for versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917). - **Instructions** for versions R3 2019 SP1 (2019.3.1023) and later. - Recommendations for improved security. #### Notes We would like to thank Paul Taylor / Foregenix Ltd and Markus Wultange of Code White GmbH for assisting with making the information public. #### External References - CVE-2014-2217 - CVE-2017-11317 #### See Also - Security - Cryptographic Weakness - Insecure Direct Object Reference - Allows JavaScriptSerializer Deserialization - Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance - UploadedFiles.SaveAs Throws FileNotFoundException with Custom Handler - Implications for Sitefinity websites

Goal Reached Thanks to every supporter — we hit 100%!

Telerik RadAsyncUpload Arbitrary File Upload and RCE Vulnerabilities (CVE-2014-2217/CVE-2017-11317) Advisory