cbcvebase.
CVE-2024-36858
published 2024-06-04

CVE-2024-36858: An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.06%
86.0th percentile
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.

Affected

2 ranges
VendorProductVersion rangeFixed in
homebrewjan
janhqcore0 – 0.1.11

Detection & IOCsextracted from sources · hover to see the quote

url/v1/app/writeFileSync
url/v1/app/appendFileSync
url/v1/app/readFileSync
path/../../../../../tmp/
pathfile:/../../../../../../tmp/
othericon_hash=-165268926
  • Flag requests using the file:/ URI scheme with path traversal in the body payload targeting these endpoints, as used in the appendFileSync and readFileSync exploitation steps.
  • Use FOFA icon hash -165268926 to identify exposed Jan v0.4.12 instances on the internet for asset discovery and attack surface monitoring.
  • Confirm exploitation by checking if the response body of a readFileSync request contains the attacker-supplied string written in a prior writeFileSync/appendFileSync request (write-then-read verification pattern).
  • The exploit chain requires no authentication (PR:N) and uses Content-Type: text/plain;charset=UTF-8 for all three POST requests; alert on this content-type hitting the writeFileSync/appendFileSync/readFileSync paths.
  • ·The vulnerability is specific to Jan version 0.4.12; the affected CPE is cpe:2.3:a:homebrew:jan:0.4.12. Detections should be scoped to this version.
  • ·The exploit is classified as intrusive/active (nuclei tag: intrusive), meaning detection rules firing on these endpoints may also trigger from legitimate security scanners running the PoC template.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.