Lucene search

[email protected]CVE-2024-29021

HistoryApr 18, 2024 - 3:15 p.m.

CVE-2024-29021

2024-04-1815:15:29

CWE-918

CWE-1393

[email protected]

web.nvd.nist.gov

judge0

code execution

vulnerability

ssrf

sandbox escape

root access

fixed

nvd

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the target machine. This vulnerability is fixed in 1.13.1.

Affected configurations

Vulners

Node

judge0judge0Range≤1.13.0

CNA Affected

[
  {
    "vendor": "judge0",
    "product": "judge0",
    "versions": [
      {
        "version": "<= 1.13.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230

github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr

Social References

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-29021

cvelist1 nvd1 thn1