Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Code42 Support

Arbitrary file creation on Code42 servers

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

Overview

This article provides details about a security vulnerability on Code42 servers.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. 

Affected versions

  • Code42 environments with on-premises authority or storage servers running the following versions:
    • 7.0.0
    • 6.8.4 - 6.8.8
    • 6.7.5 and older

Resolution

This vulnerability is fixed in on-premises Code42 server versions 6.7.6, 6.8.9, and 7.0.2. To remediate this vulnerability, upgrade your environment

CVE details

CVE ID CVE-2019-15131
Date published September 16, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise
Affected product versions

Code42 server versions 6.7.5 and earlier, 6.8.4 - 6.8.8, and 7.0.0

Vulnerability type Directory traversal
Attack type  Remote
Impact Code execution
Affected components Code42 authority and storage servers
Attack vectors An attacker can access Code42 servers and upload files.  
Description of the vulnerability This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution. 
CVSS v3

Score: 9.1

Vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Additional information Thanks to An Trinh of Viettel Cyber Security for discovering this vulnerability. 

Other Code42 resources