Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, yes.

Code42 for Enterprise, yes.

Link: Product plans and features.

Code42 Support

Permissions vulnerability in Code42 app on Linux

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, yes.

Code42 for Enterprise, yes.

Link: Product plans and features.

Overview

This article provides details about a security vulnerability in the Code42 app on Linux.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. To report a potential security vulnerability, contact bugs@code42.com.

If you have questions or concerns, contact our Code42 Customer Champions.

Description

Code42 has identified a vulnerability in the Code42 app on Linux that allows an attacker to create files in
the log directory that the Code42 app accesses as root.

Affected versions

Code42 app version 6.8.3 and earlier on Linux devices

Resolution

This vulnerability has been fixed in Code42 app version 6.8.4 and later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

If you are unable to upgrade at this time, additional workarounds may be available depending on your
deployment. Contact our Code42 Customer Champions for more information.

CVE details

CVE ID CVE-2018-20131
Date published December 13, 2018
Number of vulnerabilities 1
Products Code42 for Enterprise
Affected product versions Code42 app 6.8.3 and earlier on Linux
Vulnerability type Insecure permissions
Attack type  Local
Impact Escalation of privileges
Affected components Linux, security
Attack vectors An attacker can create files in the log directory that the Code42 app accesses as root.
Description of the vulnerability In Code42 app version 6.8.3 and earlier on Linux devices, the Code42 app installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges or show the contents of sensitive files that a regular user would not have access to.

Other Code42 resources