CVE-2017-11317

CVE Published	2017-08-23
Related CWE(s)	CWE-326: Inadequate Encryption Strength
Related Vendor(s)	telerik
Related Product(s)	ui_for_asp.net_ajax
Exploitation Reported (CISA KEV)	2022-04-11
CVSS 3 Base Score	9.8 (CRITICAL)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Brute Force (CAPEC-112)

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

Protocol Analysis (CAPEC-192)

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

Encryption Brute Forcing (CAPEC-20)

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

References

CVE.org

View more information about CVE-2017-11317 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2017-11317 on the NIST NVD.

CISA Known Exploited Vulnerabilities