Arbitrary file creation on Code42 servers
Who is this article for?
Instructor, no.
Incydr Professional, Enterprise, Gov F2, and Horizon, yes.
Incydr Basic, Advanced, and Gov F1, yes.
CrashPlan Cloud, yes.
Retired product plans, yes.
CrashPlan for Small Business, no.
Overview
This article provides details about a security vulnerability on Code42 servers.
Description
A vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed.
Affected versions
- Code42 environments with on-premises authority or storage servers running the following versions:
- 7.0.0
- 6.8.4 - 6.8.8
- 6.7.5 and older
Resolution
This vulnerability is fixed in on-premises Code42 server versions 6.7.6, 6.8.9, and 7.0.2. To remediate this vulnerability, upgrade your environment.
CVE details
| CVE ID | CVE-2019-15131 |
|---|---|
| Date published | September 16, 2019 |
| Number of vulnerabilities | 1 |
| Products | Code42 for Enterprise |
| Affected product versions |
Code42 server versions 6.7.5 and earlier, 6.8.4 - 6.8.8, and 7.0.0 |
| Vulnerability type | Directory traversal |
| Attack type | Remote |
| Impact | Code execution |
| Affected components | Code42 authority and storage servers |
| Attack vectors | An attacker can access Code42 servers and upload files. |
| Description of the vulnerability | This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution. |
| CVSS v3 |
Score: 9.1 Vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
| Additional information | Thanks to An Trinh of Viettel Cyber Security for discovering this vulnerability. |
Other Code42 resources
- Code42: Security
-
If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form.
