Remote code execution on Code42 servers
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, yes.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
Overview
This article provides details about a security vulnerability affecting on-premises Code42 servers.
Description
A vulnerability has been identified that could allow an attacker to escalate privilege and execute arbitrary code on an on-premises Code42 server.
Affected product and versions
Code42 environments with on-premises Code42 servers running version 7.0.4 or earlier.
Resolution
This vulnerability is fixed in on-premises Code42 server version 7.0.5 and later. To remediate this vulnerability, upgrade your environment.
CVE details
| CVE ID | CVE-2020-12736 |
|---|---|
| Date published | July 6, 2020 |
| Number of vulnerabilities | 1 |
| Vulnerability type | Other – Code execution |
| CVSS v3 |
Score: 8.0 Vector string: 3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Attack type | Remote |
| Impact | Code execution |
| Attack vectors |
An attacker could escalate privilege and execute arbitrary code on the on-premises Code42 server. |
| Affected component | On-premises Code42 server |
| Description of the vulnerability |
When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection. |
| Acknowledgements | Thank you to Hung Tien Thanh of MSV for discovering and reporting this vulnerability. |
Other Code42 resources
- Code42: Security
-
If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form.
