CVE-2024-36857
published 2024-06-04CVE-2024-36857: Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.05%
78.9th percentile
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| homebrew | jan | — | — |
| janhq | core | 0 – 0.1.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /v1/app/readFileSync HTTP/1.1
pathfile:/../../../../../..{{path}}
otherhttp.favicon.hash:-165268926
othericon_hash="-165268926"
- →Detect POST requests to /v1/app/readFileSync with a body containing path traversal sequences (e.g., 'file:/../') and file paths such as /etc/passwd or /Windows/win.ini.
- →Response body matching regex 'root:.*:0:0:' (Linux /etc/passwd) or '\[(font|extension|file)s\]' (Windows win.ini) with HTTP 200 and Content-Type text/plain indicates successful exploitation.
- →Use Shodan favicon hash -165268926 or FOFA icon_hash="-165268926" to identify exposed Jan v0.4.12 instances on the internet.
- →The exploit requires no authentication (PR:N, UI:N per CVSS), so any unauthenticated POST to the readFileSync endpoint with traversal payload is suspicious.
- ·The path traversal payload uses the 'file:/' URI scheme prefix combined with '../' sequences. Detection rules must account for this non-standard traversal format rather than plain '../' sequences alone.
- ·The vulnerability is confirmed only in Jan v0.4.12; the CPE scope is limited to this specific version.
- ·The EPSS score of 0.53443 (97.988th percentile) indicates a very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jan path traversal vulnerability
ghsa·2024-06-04
CVE-2024-36857 [HIGH] CWE-22 Jan path traversal vulnerability
Jan path traversal vulnerability
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
OSV
Jan path traversal vulnerability
osv·2024-06-04
CVE-2024-36857 [HIGH] Jan path traversal vulnerability
Jan path traversal vulnerability
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
VulnCheck
Jan API Interface readFileSync Vulnerability
vulncheck·2024·CVSS 7.5
CVE-2024-36857 [HIGH] Jan API Interface readFileSync Vulnerability
Jan API Interface readFileSync Vulnerability
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
Affected: homebrew jan
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-15&host_type=src&vulnerability=cve-2024-36857; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-22&host_type=src&vulnerability=cve-2024-36857; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-08-23&host_type=src&vulnerability=cve-2024-36857; https://dashboard.shadowserver.or
No detection rules found.
Nuclei
Jan v0.4.12 'readFileSync' - Path Traversal
nuclei·CVSS 7.5
CVE-2024-36857 [HIGH] Jan v0.4.12 'readFileSync' - Path Traversal
Jan v0.4.12 'readFileSync' - Path Traversal
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
Template:
id: CVE-2024-36857
info:
name: Jan v0.4.12 'readFileSync' - Path Traversal
author: Yusuf Amr
severity: high
description: |
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
impact: |
Unauthenticated attackers can read arbitrary files from the system via path traversal in the readFileSync interface.
remediation: |
Update Jan to a version later than v0.4.12 that patches the path traversal vulnerability.
reference:
- https://www.wiz.io/vulnerability-database/cve/cve-2024-36857
- https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability
classifica
No writeups or analysis indexed.
2024-06-04
Published
Exploited in the wild