Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Remote code execution on Code42 servers

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

Overview

This article provides details about a security vulnerability affecting on-premises Code42 servers.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description

A vulnerability has been identified that could allow an attacker to escalate privilege and execute arbitrary code on an on-premises Code42 server.

Affected product and versions

Code42 environments with on-premises Code42 servers running version 7.0.4 or earlier. 

Resolution

This vulnerability is fixed in on-premises Code42 server version 7.0.5 and later. To remediate this vulnerability, upgrade your environment

CVE details

CVE ID CVE-2020-12736
Date published July 6, 2020
Number of vulnerabilities 1
Vulnerability type Other – Code execution
CVSS v3

Score: 8.0

Vector string: 3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack type  Remote 
Impact Code execution
Attack vectors

An attacker could escalate privilege and execute arbitrary code on the on-premises Code42 server. 

Affected component On-premises Code42 server
Description of the vulnerability

When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection. 

Acknowledgements Thank you to Hung Tien Thanh of MSV for discovering and reporting this vulnerability. 

Other Code42 resources