An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
The /v1/app/appendFileSync endpoint does not properly validate uploaded files, which classifies the vulnerability as CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-94 (Code Injection). An attacker can upload a crafted file (e.g., an executable script or configuration file), which is then processed by the server in a way that enables execution of the code contained in it. The attack does not require any authentication or user interaction.
Successful exploitation of the vulnerability gives the attacker full control over the system — it is possible to execute arbitrary code with the privileges of the application process, which may lead to violations of data confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references and update the Jan application to a version newer than 0.4.12. Additionally, it is recommended to restrict network access to the Jan application API interfaces exclusively to trusted hosts (e.g., using a firewall or access control list).
Jan v0.4.12 (Homebrew Jan)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHomebrew Jan
APPHomebrew0.4.12