CVE-2024-52584
Vulnerability from cvelistv5
Published
2024-11-18 20:43
Modified
2024-11-21 14:54
Severity ?
EPSS score ?
Summary
Autolab has vulnerable submission endpoints
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-52584", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-19T15:33:21.755042Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-21T14:54:45.418Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Autolab", "vendor": "autolab", "versions": [ { "status": "affected", "version": "= 3.0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.9, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-18T20:43:21.893Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr" }, { "name": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda" } ], "source": { "advisory": "GHSA-rjg4-cf66-x6gr", "discovery": "UNKNOWN" }, "title": "Autolab has vulnerable submission endpoints" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-52584", "datePublished": "2024-11-18T20:43:21.893Z", "dateReserved": "2024-11-14T15:05:46.766Z", "dateUpdated": "2024-11-21T14:54:45.418Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-52584\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-18T21:15:07.047\",\"lastModified\":\"2024-11-21T15:15:34.693\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Existe una vulnerabilidad en la versi\u00f3n 3.0.1 en la que los CA pueden ver o editar la calificaci\u00f3n de cualquier ID de env\u00edo, incluso si no son CA de la clase que tiene el env\u00edo. Los endpoints solo verifican que los CA tengan el nivel de autorizaci\u00f3n de un CA de la clase en el endpoint, que no es necesariamente la clase a la que est\u00e1 asociado el env\u00edo. La versi\u00f3n 3.0.2 contiene un parche. No hay workarounds disponibles.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr\",\"source\":\"security-advisories@github.com\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.