Arbitrary file creation on Code42 servers

Overview

This article provides details about a security vulnerability on Code42 servers.

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed.

Affected versions

Code42 environments with on-premises authority or storage servers running the following versions:
- 7.0.0
- 6.8.4 - 6.8.8
- 6.7.5 and older

Resolution

This vulnerability is fixed in on-premises Code42 server versions 6.7.6, 6.8.9, and 7.0.2. To remediate this vulnerability, upgrade your environment.

CVE details

CVE ID	CVE-2019-15131
Date published	September 16, 2019
Number of vulnerabilities	1
Products	Code42 for Enterprise
Affected product versions	Code42 server versions 6.7.5 and earlier, 6.8.4 - 6.8.8, and 7.0.0
Vulnerability type	Directory traversal
Attack type	Remote
Impact	Code execution
Affected components	Code42 authority and storage servers
Attack vectors	An attacker can access Code42 servers and upload files.
Description of the vulnerability	This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution.
CVSS v3	Score: 9.1 Vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Additional information	Thanks to An Trinh of Viettel Cyber Security for discovering this vulnerability.

Other Code42 resources

Code42: Security
If you want to be notified when Code42 identifies a security vulnerability, sign up for email notifications.