CVE-2024-36858 Scanner
Detects file write vulnerability in Jan v0.4.12 via /v1/app/writeFileSync endpoint (CVE-2024-36858)
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
8 days 8 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The open-source AI assistant platform Jan, specifically version v0.4.12
, contains a critical vulnerability that allows unauthenticated arbitrary file uploads via the /v1/app/writeFileSync
endpoint.
Identified as CVE-2024-36858, this flaw enables attackers to write files to arbitrary paths by abusing improper path sanitization. It also allows file content manipulation using the appendFileSync
and readFileSync
endpoints.
By chaining these APIs, a remote attacker can place and execute arbitrary code on the system. This leads to a full system compromise, data exfiltration, and potential lateral movement within the host network.
REFERENCES