Vulnerabilites related to autolabproject - autolab
Vulnerability from fkie_nvd
Published
2024-10-25 13:15
Modified
2024-11-14 22:49
Severity ?
Summary
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | 3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3701E85A-2BE3-4080-AADD-6FBFACCFF57E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users\u0027 accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist."
},
{
"lang": "es",
"value": "Autolab, un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n, ha configurado incorrectamente los permisos de restablecimiento de contrase\u00f1as en la versi\u00f3n 3.0.0. En el caso de las cuentas basadas en correo electr\u00f3nico, los usuarios con privilegios insuficientes pod\u00edan restablecer y, en teor\u00eda, acceder a las cuentas de los usuarios con privilegios restableciendo sus contrase\u00f1as. Este problema se ha solucionado en la versi\u00f3n 3.0.1. No existen workarounds."
}
],
"id": "CVE-2024-49376",
"lastModified": "2024-11-14T22:49:50.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-10-25T13:15:17.957",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-14 01:15
Modified
2024-11-21 07:24
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab's remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file's contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "15CEA33A-9734-4B79-8525-92B23FF92B80",
"versionEndExcluding": "2.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab\u0027s remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file\u0027s contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment \u003e Advanced \u003e Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos, desarrollado inicialmente por un equipo de estudiantes de la Universidad Carnegie Mellon, que permite a los instructores ofrecer tareas de programaci\u00f3n autocalificadas a sus estudiantes a trav\u00e9s de la Web. Se descubri\u00f3 una vulnerabilidad de divulgaci\u00f3n de archivos en la funci\u00f3n de entrega remota de Autolab, mediante la cual los usuarios pueden entregar tareas utilizando rutas fuera de su directorio de env\u00edo. Luego, los usuarios pueden ver el env\u00edo para ver el contenido del archivo. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.10.0. Como workaround, aseg\u00farese de que el campo para la funci\u00f3n de entrega remota est\u00e9 vac\u00edo (Edit Assessment \u0026gt; Advanced \u0026gt; Remote handin path) y que no est\u00e9 ejecutando Autolab como `root` (o cualquier usuario que tenga acceso de escritura a `/ `). Alternativamente `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026amp;\u0026amp; return`."
}
],
"id": "CVE-2022-41956",
"lastModified": "2024-11-21T07:24:09.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-14T01:15:13.230",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"source": "security-advisories@github.com",
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-11 07:15
Modified
2024-11-21 06:39
Severity ?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F9D8D60-EC00-45C9-B3AC-C52D1FB4CAFA",
"versionEndExcluding": "2.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio de GitHub autolab/autolab versiones anteriores a 2.8.0"
}
],
"id": "CVE-2022-0936",
"lastModified": "2024-11-21T06:39:41.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-11T07:15:08.140",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-26 23:15
Modified
2024-11-21 08:03
Severity ?
6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F025235E-3D41-4053-8167-1D8D94A645FF",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both \"Base File Tar\" and \"Additional file archive\" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"id": "CVE-2023-32317",
"lastModified": "2024-11-21T08:03:06.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-26T23:15:16.950",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"source": "security-advisories@github.com",
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-26 23:15
Modified
2024-11-21 08:03
Severity ?
6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F025235E-3D41-4053-8167-1D8D94A645FF",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"id": "CVE-2023-32676",
"lastModified": "2024-11-21T08:03:49.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-26T23:15:18.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"source": "security-advisories@github.com",
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-27 22:15
Modified
2025-04-21 15:07
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Summary
Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB361D34-3375-41C6-B7E4-A5E6CFAE7116",
"versionEndIncluding": "3.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course\u0027s roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Un usuario puede modificar su nombre y apellido para incluir una f\u00f3rmula v\u00e1lida de Excel o de una hoja de c\u00e1lculo. Cuando un instructor descarga la lista de su curso y la abre, este nombre se evaluar\u00e1 como una f\u00f3rmula. Esto podr\u00eda provocar una fuga de informaci\u00f3n de los estudiantes en la lista del curso al enviar los datos a un punto final remoto. Este problema se ha corregido en el repositorio de c\u00f3digo fuente y se espera que la soluci\u00f3n se publique en la pr\u00f3xima versi\u00f3n. Se recomienda a los usuarios que apliquen manualmente el parche a sus sistemas o que esperen a la pr\u00f3xima versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-53260",
"lastModified": "2025-04-21T15:07:22.850",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-27T22:15:05.353",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-22 15:15
Modified
2024-11-21 08:25
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1C7D024-2BC5-4EB3-8FF6-006C25BBAFFD",
"versionEndExcluding": "2.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab\u0027s assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos que permite a los profesores ofrecer tareas de programaci\u00f3n con calificaci\u00f3n autom\u00e1tica a sus estudiantes a trav\u00e9s de la Web. Se descubrieron vulnerabilidades de path traversal en la funcionalidad de evaluaci\u00f3n de Autolab en versiones de Autolab anteriores a la 2.12.0, mediante las cuales los instructores pueden realizar lecturas de archivos arbitrarias. La versi\u00f3n 2.12.0 contiene un parche. No existen workarounds viables para este problema."
}
],
"id": "CVE-2023-44395",
"lastModified": "2024-11-21T08:25:48.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-22T15:15:08.037",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-18 21:15
Modified
2025-01-21 17:55
Severity ?
Summary
Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DE5B67-FBCC-47C8-B03B-40B45F66A5B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Existe una vulnerabilidad en la versi\u00f3n 3.0.1 en la que los CA pueden ver o editar la calificaci\u00f3n de cualquier ID de env\u00edo, incluso si no son CA de la clase que tiene el env\u00edo. Los endpoints solo verifican que los CA tengan el nivel de autorizaci\u00f3n de un CA de la clase en el endpoint, que no es necesariamente la clase a la que est\u00e1 asociado el env\u00edo. La versi\u00f3n 3.0.2 contiene un parche. No hay workarounds disponibles."
}
],
"id": "CVE-2024-52584",
"lastModified": "2025-01-21T17:55:15.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-18T21:15:07.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-25 20:15
Modified
2025-04-07 19:56
Severity ?
Summary
Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4A5120A-AE4E-4B4B-8306-9FD09378AD8C",
"versionEndIncluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. A partir de la versi\u00f3n 3.0.0 de Autolab, los estudiantes pueden descargar todas las tareas de otro estudiante, siempre que hayan iniciado sesi\u00f3n, mediante la funci\u00f3n download_all_submissions. Esto puede permitir la filtraci\u00f3n de entregas a usuarios no autorizados, como la descarga de entregas de otros estudiantes de la clase o incluso entregas de ex\u00e1menes de instructores, siempre que conozcan sus ID de usuario. Este problema se ha corregido en el commit `1aa4c769`, que a\u00fan no est\u00e1 en una versi\u00f3n de lanzamiento, pero se espera que se incluya en la versi\u00f3n 3.0.3. Se recomienda a los usuarios que apliquen el parche manualmente o que esperen a la versi\u00f3n 3.0.3. Como workaround, los administradores pueden desactivar la funci\u00f3n."
}
],
"id": "CVE-2024-53258",
"lastModified": "2025-04-07T19:56:52.350",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-25T20:15:10.030",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-359"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-18 21:15
Modified
2025-01-21 17:56
Severity ?
Summary
Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F7DE5B67-FBCC-47C8-B03B-40B45F66A5B9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Existe una vulnerabilidad de inyecci\u00f3n de HTML en la versi\u00f3n 3.0.1 que puede afectar a los instructores y a los CA en la p\u00e1gina de env\u00edo de calificaciones. El problema se solucion\u00f3 en la versi\u00f3n 3.0.2. Se puede aplicar el parche manualmente editando la l\u00ednea 589 en `gradesheet.js.erb` para que los comentarios se tomen como texto en lugar de HTML."
}
],
"id": "CVE-2024-52585",
"lastModified": "2025-01-21T17:56:12.597",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.2,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-18T21:15:07.183",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-14 01:15
Modified
2024-11-21 07:24
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| autolabproject | autolab | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09725D4C-83C4-4861-B0EB-58FC9C8F665D",
"versionEndExcluding": "2.10.0",
"versionStartIncluding": "2.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab\u0027s MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
},
{
"lang": "es",
"value": "Autolab es un servicio de gesti\u00f3n de cursos, desarrollado inicialmente por un equipo de estudiantes de la Universidad Carnegie Mellon, que permite a los instructores ofrecer tareas de programaci\u00f3n autocalificadas a sus estudiantes a trav\u00e9s de la Web. Se descubri\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en la funcionalidad MOSS de Autolab, mediante la cual un instructor con acceso a la funci\u00f3n podr\u00eda ejecutar c\u00f3digo en el servidor que aloja Autolab. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.10.0. Como workaround, deshabilite la funci\u00f3n MOSS si no es necesaria reemplazando el cuerpo de `run_moss` en `app/controllers/courses_controller.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026amp;\u0026amp; return`."
}
],
"id": "CVE-2022-41955",
"lastModified": "2024-11-21T07:24:08.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-14T01:15:12.743",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"source": "security-advisories@github.com",
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-52585 (GCVE-0-2024-52585)
Vulnerability from cvelistv5
Published
2024-11-18 20:45
Modified
2024-11-21 14:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52585",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:31:24.785079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:47:11.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:45:32.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2"
},
{
"name": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c"
}
],
"source": {
"advisory": "GHSA-8qhp-jhhw-45r2",
"discovery": "UNKNOWN"
},
"title": "Autolab has HTML Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52585",
"datePublished": "2024-11-18T20:45:19.561Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2024-11-21T14:47:11.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44395 (GCVE-0-2023-44395)
Vulnerability from cvelistv5
Published
2024-01-22 14:51
Modified
2024-08-23 19:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/releases/tag/v2.12.0 | x_refsource_MISC | |
| https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:09:39.273104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:18:41.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab\u0027s assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-22T14:51:14.371Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"
},
{
"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"source": {
"advisory": "GHSA-h8wq-ghfq-5hfx",
"discovery": "UNKNOWN"
},
"title": "Autolab has Path Traversal vulnerability in Assessment functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44395",
"datePublished": "2024-01-22T14:51:14.371Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-08-23T19:18:41.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0936 (GCVE-0-2022-0936)
Vulnerability from cvelistv5
Published
2022-04-11 06:15
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968 | x_refsource_CONFIRM | |
| https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| autolab | autolab/autolab |
Version: unspecified < 2.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "autolab/autolab",
"vendor": "autolab",
"versions": [
{
"lessThan": "2.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T06:15:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b"
}
],
"source": {
"advisory": "90701766-bfed-409e-b3dd-6ff884373968",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in autolab/autolab",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0936",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in autolab/autolab"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "autolab/autolab",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.8.0"
}
]
}
}
]
},
"vendor_name": "autolab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968"
},
{
"name": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b",
"refsource": "MISC",
"url": "https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b"
}
]
},
"source": {
"advisory": "90701766-bfed-409e-b3dd-6ff884373968",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0936",
"datePublished": "2022-04-11T06:15:15",
"dateReserved": "2022-03-12T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32676 (GCVE-0-2023-32676)
Vulnerability from cvelistv5
Published
2023-05-26 22:44
Modified
2024-10-15 16:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d | x_refsource_MISC | |
| https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"name": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32676",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T17:20:24.700305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T16:29:34.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:23:01.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c"
},
{
"name": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"source": {
"advisory": "GHSA-x9hj-r9q4-832c",
"discovery": "UNKNOWN"
},
"title": "Autolab tar slip in Install Assessment functionality (`GHSL-2023-081`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32676",
"datePublished": "2023-05-26T22:44:09.157Z",
"dateReserved": "2023-05-11T16:33:45.731Z",
"dateUpdated": "2024-10-15T16:29:34.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41955 (GCVE-0-2022-41955)
Vulnerability from cvelistv5
Published
2023-01-14 00:09
Modified
2024-08-03 12:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269 | x_refsource_CONFIRM | |
| https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.1, \u003c= 2.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab\u0027s MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:24:33.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
}
],
"source": {
"advisory": "GHSA-x5r3-vf3p-3269",
"discovery": "UNKNOWN"
},
"title": "Autolab is vulnerable to remote code execution (RCE) via MOSS functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41955",
"datePublished": "2023-01-14T00:09:07.032Z",
"dateReserved": "2022-09-30T16:38:28.945Z",
"dateUpdated": "2024-08-03T12:56:38.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52584 (GCVE-0-2024-52584)
Vulnerability from cvelistv5
Published
2024-11-18 20:43
Modified
2024-11-21 14:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:33:21.755042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:54:45.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:43:21.893Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr"
},
{
"name": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda"
}
],
"source": {
"advisory": "GHSA-rjg4-cf66-x6gr",
"discovery": "UNKNOWN"
},
"title": "Autolab has vulnerable submission endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52584",
"datePublished": "2024-11-18T20:43:21.893Z",
"dateReserved": "2024-11-14T15:05:46.766Z",
"dateUpdated": "2024-11-21T14:54:45.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53260 (GCVE-0-2024-53260)
Vulnerability from cvelistv5
Published
2024-11-27 21:28
Modified
2024-11-29 18:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Summary
Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-29T18:04:55.311080Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T18:10:01.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course\u0027s roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T21:28:33.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g"
},
{
"name": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620"
}
],
"source": {
"advisory": "GHSA-cqxx-pfmh-h43g",
"discovery": "UNKNOWN"
},
"title": "Course Roster vulnerable to CSV Injection in Autolab"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53260",
"datePublished": "2024-11-27T21:28:33.896Z",
"dateReserved": "2024-11-19T20:08:14.480Z",
"dateUpdated": "2024-11-29T18:10:01.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53258 (GCVE-0-2024-53258)
Vulnerability from cvelistv5
Published
2024-11-25 19:19
Modified
2024-11-25 19:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3 | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769d | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-25T19:51:15.667145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T19:51:49.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, before commit 1aa4c7690892fb458d2c61ff86739f368e34769d"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T19:19:24.920Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3"
},
{
"name": "https://github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769d"
}
],
"source": {
"advisory": "GHSA-84qc-7773-2gg3",
"discovery": "UNKNOWN"
},
"title": "download_all_submissions allows student to download another student\u0027s submissions in Autolab"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53258",
"datePublished": "2024-11-25T19:19:24.920Z",
"dateReserved": "2024-11-19T20:08:14.480Z",
"dateUpdated": "2024-11-25T19:51:49.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41956 (GCVE-0-2022-41956)
Vulnerability from cvelistv5
Published
2023-01-14 00:40
Modified
2024-08-03 12:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab's remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file's contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x | x_refsource_CONFIRM | |
| https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/ | x_refsource_MISC | |
| https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab\u0027s remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file\u0027s contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment \u003e Advanced \u003e Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: \"Feature disabled\", status: :bad_request) \u0026\u0026 return`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:24:15.495Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-100_Autolab/"
},
{
"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"
}
],
"source": {
"advisory": "GHSA-g7x7-mgrv-f24x",
"discovery": "UNKNOWN"
},
"title": "Autolab is vulnerable to file disclosure via remote handin feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41956",
"datePublished": "2023-01-14T00:40:32.121Z",
"dateReserved": "2022-09-30T16:38:28.945Z",
"dateUpdated": "2024-08-03T12:56:38.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32317 (GCVE-0-2023-32317)
Vulnerability from cvelistv5
Published
2023-05-26 22:42
Modified
2024-08-02 15:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5 | x_refsource_MISC | |
| https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"name": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both \"Base File Tar\" and \"Additional file archive\" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T18:23:11.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g"
},
{
"name": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/"
}
],
"source": {
"advisory": "GHSA-h8g5-vhm4-wx6g",
"discovery": "UNKNOWN"
},
"title": "Autolab tar slip in cheat checker functionality (`GHSL-2023-082`)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32317",
"datePublished": "2023-05-26T22:42:09.929Z",
"dateReserved": "2023-05-08T13:26:03.879Z",
"dateUpdated": "2024-08-02T15:10:24.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49376 (GCVE-0-2024-49376)
Vulnerability from cvelistv5
Published
2024-10-25 12:50
Modified
2024-10-25 15:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm | x_refsource_CONFIRM | |
| https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T15:05:04.602746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T15:05:44.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Autolab",
"vendor": "autolab",
"versions": [
{
"status": "affected",
"version": "= 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users\u0027 accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T12:50:33.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm"
},
{
"name": "https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b"
}
],
"source": {
"advisory": "GHSA-v46j-h43h-rwrm",
"discovery": "UNKNOWN"
},
"title": "Autolab Has Misconfigured Reset Password Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49376",
"datePublished": "2024-10-25T12:50:33.130Z",
"dateReserved": "2024-10-14T13:56:34.812Z",
"dateUpdated": "2024-10-25T15:05:44.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}