CVE-2023-32676

Published: May 26, 2023

Modified: Oct 15, 2024

PUBLISHED

CVSS v3.1

6.7

MEDIUM

Description

Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade.

Vendor	Product	Versions
autolab	Autolab	affected `< 2.11.0`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

References

https://github.com/autolab/Autolab/security/advisories/GHSA-x9hj-r9q4-832c

x_refsource_CONFIRM

https://github.com/autolab/Autolab/commit/14f508484a8323eceb0cf3a128573b43eabbc80d

x_refsource_MISC

https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-32676

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References