Who is this article for?
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article provides details about a security vulnerability affecting on-premises Code42 servers.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
A vulnerability has been identified that could allow an attacker to escalate privilege and execute arbitrary code on an on-premises Code42 server.
Affected product and versions
Code42 environments with on-premises Code42 servers running version 7.0.4 or earlier.
|Date published||July 6, 2020|
|Number of vulnerabilities||1|
|Vulnerability type||Other – Code execution|
Vector string: 3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
An attacker could escalate privilege and execute arbitrary code on the on-premises Code42 server.
|Affected component||On-premises Code42 server|
|Description of the vulnerability||
When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection.
|Acknowledgements||Thank you to Hung Tien Thanh of MSV for discovering and reporting this vulnerability.|