Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, yes.

Other product plans, yes.

CrashPlan for Small Business, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Users can restore files to locations they do not have write access to

Overview

This article provides details about a security vulnerability in the Code42 app.  

To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.

For more information about security at Code42, see our Security page. If you believe you've found a Code42 security vulnerability, see Report a security vulnerability to Code42.

If you have questions or concerns, contact our Customer Champions for support.

Description 

An attacker can craft a restore request to restore a file through the Code42 app to a location they do not have privileges to write. 

Affected versions 

Code42 app 6.9.1 and earlier

Resolution 

This vulnerability has been fixed in Code42 app version 6.9.2 or later. To remediate this vulnerability, upgrade the Code42 apps in your environment.

CVE details 

CVE ID CVE-2019-11551
Date published August 19, 2019
Number of vulnerabilities 1
Products Code42 for Enterprise and CrashPlan for Small Business
Affected product versions

Client version 6.9.1 and earlier

Vulnerability type Incorrect Access Control
Attack type  Local
Impact Escalation of privileges
Affected components CrashPlan service
Attack vectors An attacker can overwrite or restore files to locations they do not have write privileges to. This can be accomplished via API or via the User Interface.
Description of the vulnerability When Code42 restores a file, it restores the file as the context of the Code42 service which is running as root, instead of the context of the user who launched the user interface. This only affects you if you are running a system installed CrashPlan, not a user installed CrashPlan. An attacker can craft a restore request to restore a file through CrashPlan to a location they do not have privileges to write. 

Other Code42 resources

  • Code42: Security
  • If you want to be notified when Code42 identifies a security vulnerability, navigate to the Code42 email preferences page and check the box "Common Security and Vulnerability Reports" in the preferences form. 

    Code42-preferences-4-9-21.png

 
  • Was this article helpful?