CVE-2022-41956 – Autolab is vulnerable to file disclosure via remote handin feature
https://notcve.org/view.php?id=CVE-2022-41956
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab's remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file's contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). • https://github.com/autolab/Autolab/security/advisories/GHSA-g7x7-mgrv-f24x https://securitylab.github.com/advisories/GHSL-2022-100_Autolab https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-41955 – Autolab is vulnerable to remote code execution (RCE) via MOSS functionality
https://notcve.org/view.php?id=CVE-2022-41955
Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`. • https://github.com/autolab/Autolab/security/advisories/GHSA-x5r3-vf3p-3269 https://securitylab.github.com/advisories/GHSL-2022-100_Autolab • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-0936 – Cross-site Scripting (XSS) - Stored in autolab/autolab
https://notcve.org/view.php?id=CVE-2022-0936
Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio de GitHub autolab/autolab versiones anteriores a 2.8.0 • https://github.com/autolab/autolab/commit/02d76ab3737689bba95ffe9a1c69ca5166d71c6b https://huntr.dev/bounties/90701766-bfed-409e-b3dd-6ff884373968 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •