Veracode Vulnerability DatabaseVERACODE:45122Sandbox Escape
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%
de.tum.in.ase, artemis-java-test-sandbox is vulnerable to Sandbox Escape. The vulnerability is due to allowing users to create whitelisted class packages in the SecurityManager. An attacker can exploit this to includes class files in a package that Ares trusts leading to arbitrary Java code execution when a victim executes the supposedly sandboxed code.
References
github.com/advisories/GHSA-227w-wv4j-67h4
github.com/ls1intum/Ares/commit/4c146ff85a0fa6022087fb0cffa6b8021d51101f
github.com/ls1intum/Ares/issues/15
github.com/ls1intum/Ares/releases/tag/1.8.0
github.com/ls1intum/Ares/security/advisories/GHSA-227w-wv4j-67h4
vulncheck.com/advisories/vc-advisory-GHSA-227w-wv4j-67h4
Related
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.1%