CVE-2024-52584

Autolab has vulnerable submission endpoints

Severity Score

4.9

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available.

*Credits: N/A

CVSS Scores

GitHubv4 4.9

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-11-14 CVE Reserved
2024-11-18 CVE Published
2024-11-19 EPSS Updated
2024-11-21 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

References (2)

URL	Tag	Source
https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda	X_refsource_misc
https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Autolab Search vendor "Autolab"		Autolab Search vendor "Autolab" for product "Autolab"				3.0.1 Search vendor "Autolab" for product "Autolab" and version "3.0.1"		en		Affected