cve-2024-53260
Vulnerability from cvelistv5
Published
2024-11-27 21:28
Modified
2024-11-29 18:10
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Summary
Course Roster vulnerable to CSV Injection in Autolab
References
security-advisories@github.comhttps://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620
security-advisories@github.comhttps://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53260",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-29T18:04:55.311080Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-29T18:10:01.006Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Autolab",
          "vendor": "autolab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 3.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course\u0027s roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-27T21:28:33.896Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g"
        },
        {
          "name": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620"
        }
      ],
      "source": {
        "advisory": "GHSA-cqxx-pfmh-h43g",
        "discovery": "UNKNOWN"
      },
      "title": "Course Roster vulnerable to CSV Injection in Autolab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53260",
    "datePublished": "2024-11-27T21:28:33.896Z",
    "dateReserved": "2024-11-19T20:08:14.480Z",
    "dateUpdated": "2024-11-29T18:10:01.006Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53260\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-27T22:15:05.353\",\"lastModified\":\"2024-11-27T22:15:05.353\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course\u0027s roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Un usuario puede modificar su nombre y apellido para incluir una f\u00f3rmula v\u00e1lida de Excel o de una hoja de c\u00e1lculo. Cuando un instructor descarga la lista de su curso y la abre, este nombre se evaluar\u00e1 como una f\u00f3rmula. Esto podr\u00eda provocar una fuga de informaci\u00f3n de los estudiantes en la lista del curso al enviar los datos a un punto final remoto. Este problema se ha corregido en el repositorio de c\u00f3digo fuente y se espera que la soluci\u00f3n se publique en la pr\u00f3xima versi\u00f3n. Se recomienda a los usuarios que apliquen manualmente el parche a sus sistemas o que esperen a la pr\u00f3xima versi\u00f3n. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1236\"}]}],\"references\":[{\"url\":\"https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.