CVE-2023-32317

HIGH EPSS 54.8%
Published May 26, 20233y ago · Modified Jun 17, 20262w ago
7.2 CVSS 3.1
High
Find Similar
Published May 26, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade.

CVSS Details

Base Score
7.2
Exploitability
1.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
54.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
autolabprojectautolab* <2.11.0

References 3

  • github.com https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5
    Patch
  • github.com https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g
    Vendor Advisory
  • securitylab.github.com https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/

Remediation

  • github.com https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5
    Patch