code42 CVE Vulnerabilities & Metrics

Focus on code42 vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About code42 Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with code42. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total code42 CVEs: 10
Earliest CVE date: 27 Jun 2017, 18:29 UTC
Latest CVE date: 20 Jan 2022, 02:15 UTC

Latest CVE reference: CVE-2021-43269

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical code42 CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.94

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	7
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS code42 CVEs

These are the five CVEs with the highest CVSS scores for code42, sorted by severity first and recency.

CVE-2019-15131 code42 Published on 17 Sep 2019, 12:15 UTC (CVSS: 7.5)
In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution.
CVE-2017-9830 code42 Published on 27 Jun 2017, 18:29 UTC (CVSS: 7.5)
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
CVE-2019-16861 code42 Published on 19 Nov 2019, 13:15 UTC (CVSS: 6.9)
Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.
CVE-2019-16860 code42 Published on 19 Nov 2019, 13:15 UTC (CVSS: 6.9)
Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local machine.
CVE-2021-43269 code42 Published on 20 Jan 2022, 02:15 UTC (CVSS: 6.5)
In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)

All CVEs for code42

CVE-2021-43269 code42 vulnerability CVSS: 6.5 20 Jan 2022, 02:15 UTC

In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)

CVE-2020-12736 code42 vulnerability CVSS: 6.5 07 Jul 2020, 20:15 UTC

Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. When an administrator creates a local (non-SSO) user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator entered template language code in the subject line, that code could be interpreted by the email generation services, potentially resulting in server-side code injection.

CVE-2019-16861 code42 vulnerability CVSS: 6.9 19 Nov 2019, 13:15 UTC

Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local server.

CVE-2019-16860 code42 vulnerability CVSS: 6.9 19 Nov 2019, 13:15 UTC

Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated privilege on the local machine.

CVE-2019-15131 code42 vulnerability CVSS: 7.5 17 Sep 2019, 12:15 UTC

In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 a vulnerability has been identified that may allow arbitrary files to be uploaded to Code42 servers and executed. This vulnerability could allow an attacker to create directories and save files on Code42 servers, which could potentially lead to code execution.

CVE-2019-11551 code42 vulnerability CVSS: 2.1 21 Aug 2019, 18:15 UTC

In Code42 Enterprise and Crashplan for Small Business through Client version 6.9.1, an attacker can craft a restore request to restore a file through the Code42 app to a location they do not have privileges to write.

CVE-2019-11553 code42 vulnerability CVSS: 6.5 19 Jul 2019, 17:15 UTC

In Code42 for Enterprise through 6.8.4, an administrator without web restore permission but with the ability to manage users in an organization can impersonate a user with web restore permission. When requesting the token to do a web restore, an administrator with permission to manage a user could request the token of that user. If the administrator was not authorized to perform web restores but the user was authorized to perform web restores, this would allow the administrator to impersonate the user with greater permissions. In order to exploit this vulnerability, the user would have to be an administrator with access to manage an organization with a user with greater permissions than themselves.

CVE-2019-11552 code42 vulnerability CVSS: 4.4 19 Jul 2019, 14:15 UTC

Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.

CVE-2018-20131 code42 vulnerability CVSS: 4.6 03 Jan 2019, 01:29 UTC

The Code42 app before 6.8.4, as used in Code42 for Enterprise, on Linux installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges, or show the contents of sensitive files that a regular user would not have access to.

CVE-2017-9830 code42 vulnerability CVSS: 7.5 27 Jun 2017, 18:29 UTC

Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.