Autolab
CVE-2023-32676
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., ../../../../tmp/tarslipped1.sh). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade.
AnalysisAI
Autolab is a course management service that enables auto-graded programming assignments. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., ../../../../tmp/tarslipped1.sh). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade. Affected products include: Autolabproject Autolab. Version information: version 2.11.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0. Rated medium severity (CVSS 5.4
Autolab is a course management service that enables auto-graded programming assignments. Rated high severity (CVSS 7.2),
Autolab is a course management service that enables auto-graded programming assignments. Rated high severity (CVSS 7.1),
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password
Autolab is a course management service that enables auto-graded programming assignments. Rated medium severity (CVSS 6.8
Autolab is a course management service that enables auto-graded programming assignments. Rated medium severity (CVSS 4.9
Autolab is a course management service that enables auto-graded programming assignments. Rated low severity (CVSS 1.2),
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today