CVE-2022-41956

2023-01-1401:15:13

CWE-22

[email protected]

web.nvd.nist.gov

autolab

course management

file disclosure

vulnerability

remote handin

patch

cve-2022-41956

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

50.4%

JSON

Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab’s remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file’s contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as root (or any user that has write access to /). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of local_submit in app/controllers/assessment/handin.rb with render(plain: "Feature disabled", status: :bad_request) && return.

Affected configurations

Vulners

NVD

Node

autolabautolabRange≤2.9.0

CPENameOperatorVersion
autolabproject:autolabautolabproject autolablt2.10.0

CPE	Name	Operator	Version
autolabproject:autolab	autolabproject autolab	lt	2.10.0

CNA Affected

[
  {
    "vendor": "autolab",
    "product": "Autolab",
    "versions": [
      {
        "version": "<= 2.9.0",
        "status": "affected"
      }
    ]
  }
]