Lucene search

GitHub_MCVELIST:CVE-2023-44395

HistoryJan 22, 2024 - 2:51 p.m.

CVE-2023-44395 Autolab has Path Traversal vulnerability in Assessment functionality

2024-01-2214:51:14

CWE-22

GitHub_M

www.cve.org

autolab

path traversal

assessment

vulnerability

version 2.12.0

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.7%

JSON

Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab’s assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.

CNA Affected

[
  {
    "vendor": "autolab",
    "product": "Autolab",
    "versions": [
      {
        "version": "< 2.12.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/autolab/Autolab/releases/tag/v2.12.0

github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx

www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.7%

JSON

Related for CVELIST:CVE-2023-44395