CVE-2023-44395 - OpenCVE

Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Autolabproject	Autolab

Configuration 1 [-]

cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/autolab/Autolab/releases/tag/v2.12.0	Release Notes
https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx	Vendor Advisory
https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/	Technical Description

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T14:51:14.371Z

Updated: 2024-01-22T14:51:14.371Z

Reserved: 2023-09-28T17:56:32.614Z

Link: CVE-2023-44395

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-22T15:15:08.037

Modified: 2024-01-29T17:33:31.320

Link: CVE-2023-44395

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-44395", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-28T17:56:32.614Z", "datePublished": "2024-01-22T14:51:14.371Z", "dateUpdated": "2024-01-22T14:51:14.371Z"}, "containers": {"cna": {"title": "Autolab has Path Traversal vulnerability in Assessment functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["x_refsource_MISC"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}], "affected": [{"vendor": "autolab", "product": "Autolab", "versions": [{"version": "< 2.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T14:51:14.371Z"}, "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}], "source": {"advisory": "GHSA-h8wq-ghfq-5hfx", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1C7D024-2BC5-4EB3-8FF6-006C25BBAFFD", "versionEndExcluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite a los profesores ofrecer tareas de programaci\u00f3n con calificaci\u00f3n autom\u00e1tica a sus estudiantes a trav\u00e9s de la Web. Se descubrieron vulnerabilidades de path traversal en la funcionalidad de evaluaci\u00f3n de Autolab en versiones de Autolab anteriores a la 2.12.0, mediante las cuales los instructores pueden realizar lecturas de archivos arbitrarias. La versi\u00f3n 2.12.0 contiene un parche. No existen workarounds viables para este problema."}], "id": "CVE-2023-44395", "lastModified": "2024-01-29T17:33:31.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-22T15:15:08.037", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}