CVE-2024-36858 Scanner

Detects file write vulnerability in Jan v0.4.12 via /v1/app/writeFileSync endpoint (CVE-2024-36858)

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

8 days 8 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

The open-source AI assistant platform Jan, specifically version v0.4.12, contains a critical vulnerability that allows unauthenticated arbitrary file uploads via the /v1/app/writeFileSync endpoint.

Identified as CVE-2024-36858, this flaw enables attackers to write files to arbitrary paths by abusing improper path sanitization. It also allows file content manipulation using the appendFileSync and readFileSync endpoints.

By chaining these APIs, a remote attacker can place and execute arbitrary code on the system. This leads to a full system compromise, data exfiltration, and potential lateral movement within the host network.

REFERENCES

Get started to protecting your digital assets