Skip to main content
Contact Support

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Remote code execution on Code42 servers

  1. Last updated
  2. Save as PDF

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

This article provides details about a security vulnerability affecting on-premises Code42 servers.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Technical Support Engineers.

Description

A vulnerability has been identified that could allow an attacker to escalate privilege and execute arbitrary code on an on-premises Code42 server.

Affected product and versions

Code42 environments with on-premises Code42 servers running version 7.0.4 or earlier. 

Resolution

This vulnerability is fixed in on-premises Code42 server version 7.0.5 and later. To remediate this vulnerability, upgrade your environment. 

CVE details

CVE ID CVE-2020-12736
Date published July 6, 2020
Number of vulnerabilities 1
Vulnerability type Other – Code execution
CVSS v3

Score: 8.0

Vector string: 3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack type  Remote 
Impact Code execution
Attack vectors

An attacker could escalate privilege and execute arbitrary code on the on-premises Code42 server. 
Affected component On-premises Code42 server
Description of the vulnerability

When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection. 
Acknowledgements Thank you to Hung Tien Thanh of MSV for discovering and reporting this vulnerability. 

Other Code42 resources

  • Code42: Security

  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Available in CrashPlan Cloud
    Yes
    Available in other/on-premises product plans
    Yes
    Available in Incydr Basic and Advanced
    Yes
    Available in Incydr Pro, Enterprise, and Horizon
    Yes
    Available in Instructor
    No
    Available in Code42 CrashPlan Premium
    Yes
    Available in Code42 CrashPlan Standard
    Yes
    Available in CrashPlan for Small Business
    No
    Stage
    Final
  2. Tags
    1. CVE
    2. depcloud:true
    3. deployment:both
    4. depprem:true
    5. licincydrent:true