All the vulnerabilites related to autolab - Autolab
cve-2024-52584
Vulnerability from cvelistv5
Published
2024-11-18 20:43
Modified
2024-11-21 14:54
Severity ?
EPSS score ?
Summary
Autolab has vulnerable submission endpoints
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:33:21.755042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:54:45.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:43:21.893Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr"
},
{
"name": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda"
}
],
"source": {
"advisory": "GHSA-rjg4-cf66-x6gr",
"discovery": "UNKNOWN"
},
"title": "Autolab has vulnerable submission endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52584",
"datePublished": "2024-11-18T20:43:21.893Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2024-11-21T14:54:45.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44395
Vulnerability from cvelistv5
Published
2024-01-22 14:51
Modified
2024-08-23 19:18
Severity ?
EPSS score ?
Summary
Autolab has Path Traversal vulnerability in Assessment functionality
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/releases/tag/v2.12.0 | x_refsource_MISC | |
| https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:09:39.273104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:18:41.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab\u0027s assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T14:51:14.371Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"source": {
"advisory": "GHSA-h8wq-ghfq-5hfx",
"discovery": "UNKNOWN"
},
"title": "Autolab has Path Traversal vulnerability in Assessment functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44395",
"datePublished": "2024-01-22T14:51:14.371Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-08-23T19:18:41.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-49376
Vulnerability from cvelistv5
Published
2024-10-25 12:50
Modified
2024-10-25 15:05
Severity ?
EPSS score ?
Summary
Autolab Has Misconfigured Reset Password Permissions
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:05:04.602746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T15:05:44.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users\u0027 accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T12:50:33.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm"
},
{
"name": "https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b"
}
],
"source": {
"advisory": "GHSA-v46j-h43h-rwrm",
"discovery": "UNKNOWN"
},
"title": "Autolab Has Misconfigured Reset Password Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49376",
"datePublished": "2024-10-25T12:50:33.130Z",
"dateReserved": "2024-10-14T13:56:34.812Z",
"dateUpdated": "2024-10-25T15:05:44.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52585
Vulnerability from cvelistv5
Published
2024-11-18 20:45
Modified
2024-11-21 14:47
Severity ?
EPSS score ?
Summary
Autolab has HTML Injection Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:31:24.785079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:47:11.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:45:32.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2"
},
{
"name": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c"
}
],
"source": {
"advisory": "GHSA-8qhp-jhhw-45r2",
"discovery": "UNKNOWN"
},
"title": "Autolab has HTML Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52585",
"datePublished": "2024-11-18T20:45:19.561Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2024-11-21T14:47:11.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32676
Vulnerability from cvelistv5
Published
2023-05-26 22:44
Modified
2024-10-15 16:29
Severity ?
EPSS score ?
Summary
Autolab tar slip in Install Assessment functionality (`GHSL-2023-081`)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d | x_refsource_MISC | |
| https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"name": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32676",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T17:20:24.700305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T16:29:34.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:23:01.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"name": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"source": {
"advisory": "GHSA-x9hj-r9q4-832c",
"discovery": "UNKNOWN"
},
"title": "Autolab tar slip in Install Assessment functionality (`GHSL-2023-081`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32676",
"datePublished": "2023-05-26T22:44:09.157Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2024-10-15T16:29:34.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32317
Vulnerability from cvelistv5
Published
2023-05-26 22:42
Modified
2024-08-02 15:10
Severity ?
EPSS score ?
Summary
Autolab tar slip in cheat checker functionality (`GHSL-2023-082`)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5 | x_refsource_MISC | |
| https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"name": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both \"Base File Tar\" and \"Additional file archive\" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:23:11.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"name": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"source": {
"advisory": "GHSA-h8g5-vhm4-wx6g",
"discovery": "UNKNOWN"
},
"title": "Autolab tar slip in cheat checker functionality (`GHSL-2023-082`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32317",
"datePublished": "2023-05-26T22:42:09.929Z",
"dateReserved": "2023-05-08T13:26:03.879Z",
"dateUpdated": "2024-08-02T15:10:24.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-41956
Vulnerability from cvelistv5
Published
2023-01-14 00:40
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
Autolab is vulnerable to file disclosure via remote handin feature
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x | x_refsource_CONFIRM | |
| https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/ | x_refsource_MISC | |
| https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab\u0027s remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file\u0027s contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment \u003e Advanced \u003e Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:24:15.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"source": {
"advisory": "GHSA-g7x7-mgrv-f24x",
"discovery": "UNKNOWN"
},
"title": "Autolab is vulnerable to file disclosure via remote handin feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41956",
"datePublished": "2023-01-14T00:40:32.121Z",
"dateReserved": "2022-09-30T16:38:28.945Z",
"dateUpdated": "2024-08-03T12:56:38.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-41955
Vulnerability from cvelistv5
Published
2023-01-14 00:09
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
Autolab is vulnerable to remote code execution (RCE) via MOSS functionality
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269 | x_refsource_CONFIRM | |
| https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.1, \u003c= 2.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab\u0027s MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:24:33.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
}
],
"source": {
"advisory": "GHSA-x5r3-vf3p-3269",
"discovery": "UNKNOWN"
},
"title": "Autolab is vulnerable to remote code execution (RCE) via MOSS functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41955",
"datePublished": "2023-01-14T00:09:07.032Z",
"dateReserved": "2022-09-30T16:38:28.945Z",
"dateUpdated": "2024-08-03T12:56:38.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}