KB security

dessyordanova · dessyordanova · commit b0697f939c0f · 2025-02-12T12:38:46.000+02:00
diff --git a/knowledge-base/kb-security-path-traversal-cve-2024-11343.md b/knowledge-base/kb-security-path-traversal-cve-2024-11343.md
@@ -0,0 +1,43 @@
+---
+title: Path Traversal Vulnerability (11343)
+description: "How to mitigate CVE-2024-11343, a path traversal vulnerability."
+slug: kb-security-excessive-iteration-cve-2024-11343
+res_type: kb
+---
+
+## Description
+
+Product Alert – February 2025 - [CVE-2024-11343](https://www.cve.org/CVERecord?id=CVE-2024-11343)
+
+- Progress® Telerik® Document Processing Libraries 2024 Q4 (2024.4.1106) or earlier.
+
+## Issue
+
+CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+
+### What Are the Impacts
+
+In Progress® Telerik® Document Processing, versions prior to 2025 Q1 (2025.1.2xx), improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.
+
+## Solution
+
+We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q4 (2024.4.1106) or earlier | Update to 2025 Q1 (2025.1.2xx) ([update instructions](({%slug installation-upgrade-instructions%}))) |
+
+All customers who have a Telerik license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download). Note, Telerik Document Processing is not a separate product, it is distributed with the primary product you are using. More information can be found here: [What Versions of Document Processing Libraries are Distributed with the Telerik Products]({%slug distribute-telerik-document-processing-libraries-net-versions%}).
+
+## Notes
+
+- To check your version of Document Processing, look at the Properties of `Telerik.Documents.*.dll` (or `Telerik.Windows.Document.*.dll`) files and inspect the Version value.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-11343](https://www.cve.org/CVERecord?id=CVE-2024-11343) (HIGH)
+
+**CVSS:** 7.3
+
+In Progress® Telerik® Document Processing, versions prior to 2025 Q1 (2025.1.2xx), improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.
diff --git a/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629.md b/knowledge-base/kb-security-rtf-filecontent-export-cve-2024-11629.md
@@ -0,0 +1,43 @@
+---
+title: Arbitrary File Export (11629)
+description: "How to mitigate CVE-2024-11629, a arbitrary file export vulnerability."
+slug: kb-security-excessive-iteration-cve-2024-11629
+res_type: kb
+---
+
+## Description
+
+Product Alert – February 2025 - [CVE-2024-11629](https://www.cve.org/CVERecord?id=CVE-2024-11629)
+
+- Progress® Telerik® Document Processing Libraries 2024 Q4 (2024.4.1106) or earlier.
+
+## Issue
+
+CWE-552 Files or Directories Accessible to External Parties
+
+### What Are the Impacts
+
+In Progress Telerik Document Processing Libraries, versions prior to 2025 Q1 (2025.1.2xx), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.
+
+## Solution
+
+We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q4 (2024.4.1106) or earlier | Update to 2025 Q1 (2025.1.2xx) ([update instructions](({%slug installation-upgrade-instructions%}))) |
+
+All customers who have a Telerik license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download). Note, Telerik Document Processing is not a separate product, it is distributed with the primary product you are using. Therefore, we recommend upgrading the primary product to 2025 Q1 to automatically recieve the Document Processing improvements. More information can be found here: [What Versions of Document Processing Libraries are Distributed with the Telerik Products]({%slug distribute-telerik-document-processing-libraries-net-versions%}).
+
+## Notes
+
+- To check your version of Document Processing, look at the Properties of `Telerik.Documents.*.dll` (or `Telerik.Windows.Document.*.dll`) files and inspect the Version value.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-11629](https://www.cve.org/CVERecord?id=CVE-2024-11629) (HIGH)
+
+**CVSS:** 7.3
+
+In Progress Telerik Document Processing Libraries, versions prior to 2025 Q1 (2025.1.2xx), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.
diff --git a/release-notes/2025/release-notes-2025-1-205.md b/release-notes/2025/release-notes-2025-1-205.md
@@ -93,11 +93,11 @@ position: 99
 
 ![fixed](../images/fixed.png)
 
-* Remediated Security Vulnerability CVE-2024-11629.  **<sup>.NET Standard</sup>**
+* Remediated Security Vulnerability [CVE-2024-11629]({%slug kb-security-excessive-iteration-cve-2024-11629%}).  <sup>.NET Standard</sup>
 
 ## ZipLibrary
 
 
 ![fixed](../images/fixed.png)
 
-* Remediated Security Vulnerability CVE-2024-11343.
+* Remediated Security Vulnerability [CVE-2024-11343]({%slug kb-security-excessive-iteration-cve-2024-11343%}).
