Home > Vulnerability Database > CVE-2023-32317

Mend.io Vulnerability Database

CVE-2023-32317

Date: May 26, 2023

Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be fed with Tar files that contain paths outside their target directories (e.g., "../../../../tmp/tarslipped2.sh"). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade.

Language: Ruby

Severity Score

6.7

Related Resources (5)

Url: https://github.com/autolab/Autolab/commit/410a9228ee265f80692334d75eb2c3b4dac6f9e5

Url: https://securitylab.github.com/advisories/GHSL-2023-081_GHSL-2023-082_Autolab/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-32317

Url: https://github.com/autolab/Autolab/security/advisories/GHSA-h8g5-vhm4-wx6g

Url: https://www.mend.io/vulnerability-database/CVE-2023-32317

Severity Score

6.7

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	6.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-32317

Date: May 26, 2023

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?