Home > Vulnerability Database > CVE-2024-28189

Mend.io Vulnerability Database

CVE-2024-28189

Date: April 18, 2024

Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.

Language: Ruby

Severity Score

10.0

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28189

Url: https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L232

Url: https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf

Url: https://github.com/judge0/judge0/commit/f3b8547b3b67863e4ea0ded3adcb963add56addd

Url: https://github.com/judge0/judge0/security/advisories/GHSA-3xpw-36v7-2cmg

Url: https://www.mend.io/vulnerability-database/CVE-2024-28189

Severity Score

10.0

Weakness Type (CWE)

Improper Link Resolution Before File Access ('Link Following')

CWE-59

UNIX Symbolic Link (Symlink) Following

CWE-61

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28189

Date: April 18, 2024

Language: Ruby

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?