製品・ソフトウェアに関する情報

JVN脆弱性詳細

Telerik UI for ASP.NET AJAX における暗号強度に関する脆弱性

Title	Telerik UI for ASP.NET AJAX における暗号強度に関する脆弱性
Summary	Telerik UI for ASP.NET AJAX には、暗号強度に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 22, 2017, midnight
Registration Date	Sept. 20, 2017, 4:57 p.m.
Last Update	Sept. 20, 2017, 4:57 p.m.

Affected System

Telerik

Telerik UI for ASP.NET AJAX R1 2017 未満

Telerik UI for ASP.NET AJAX R2 2017 SP2 未満の R2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
CISA Known Exploited Vulnerabilities Catalog
1	CVE-2017-11317	https://cisa.gov/known-exploited-vulnerabilities-catalog
Common Vulnerabilities and Exposures (CVE)
2	CVE-2017-11317	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317
National Vulnerability Database (NVD)
3	CVE-2017-11317	https://nvd.nist.gov/vuln/detail/CVE-2017-11317

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-326	https://cwe.mitre.org/data/definitions/326.html

ベンダー情報

No	Name	URL
Telerik
1	Unrestricted File Upload	http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-21-077-03	https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03

Change Log

No	Changed Details	Date of change
1	[2021年03月29日] 参考情報：ICS-CERT ADVISORY (ICSA-21-077-03) を追加	March 29, 2021, 4:13 p.m.
0	[2017年09月20日] 掲載	Feb. 17, 2018, 10:37 a.m.
2	[2024年07月08日] 参考情報：CISA Known Exploited Vulnerabilities Catalog (CVE-2017-11317) を追加	July 8, 2024, 2:38 p.m.

NVD Vulnerability Information

CVE-2017-11317

Summary	Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Summary	Telerik.Web.UI en Progress Telerik UI for ASP.NET AJAX en versiones anteriores a la R1 2017 y R2 en versiones anteriores a la R2 2017 SP2 emplea un cifrado RadAsyncUpload débil, lo que permite que atacantes remotos realicen subidas de archivos arbitrarios o ejecuten código arbitrario.
Publication Date	Aug. 24, 2017, 2:29 a.m.
Registration Date	Jan. 26, 2021, 1:12 p.m.
Last Update	April 22, 2026, 2:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:telerik:ui_for_asp.net_ajax::::::::		2016.3.1027
cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.503:::::::*
cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.621:::::::*

Related information, measures and tools

No	URL	refsource
1	http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html	cve@mitre.org
2	http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload	cve@mitre.org
3	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006	cve@mitre.org
4	https://www.exploit-db.com/exploits/43874/	cve@mitre.org
5	http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html	af854a3a-2127-422b-91ae-364da2661108
6	http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload	af854a3a-2127-422b-91ae-364da2661108
7	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0006	af854a3a-2127-422b-91ae-364da2661108
8	https://www.exploit-db.com/exploits/43874/	af854a3a-2127-422b-91ae-364da2661108
9	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11317	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-326	不適切な暗号強度	https://cwe.mitre.org/data/definitions/326.html