This article provides details about a security vulnerability in the Code42 app.
To protect the security of our customers, we don't publish a security advisory until a vulnerability has been fully investigated and a patch or update is available that resolves the issue.
If you have questions or concerns, contact our Customer Champions for support.
An attacker can craft a restore request to restore a file through the Code42 app to a location they do not have privileges to write.
Code42 app 6.9.1 and earlier
This vulnerability has been fixed in Code42 app version 6.9.2 or later. To remediate this vulnerability, upgrade the Code42 apps in your environment.
|Date published||August 19, 2019|
|Number of vulnerabilities||1|
|Products||Code42 for Enterprise and CrashPlan for Small Business|
|Affected product versions||
Client version 6.9.1 and earlier
|Vulnerability type||Incorrect Access Control|
|Impact||Escalation of privileges|
|Affected components||CrashPlan service|
|Attack vectors||An attacker can overwrite or restore files to locations they do not have write privileges to. This can be accomplished via API or via the User Interface.|
|Description of the vulnerability||When Code42 restores a file, it restores the file as the context of the Code42 service which is running as root, instead of the context of the user who launched the user interface. This only affects you if you are running a system installed CrashPlan, not a user installed CrashPlan. An attacker can craft a restore request to restore a file through CrashPlan to a location they do not have privileges to write.|