CVE-2023-44395

Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/autolab/Autolab/releases/tag/v2.12.0	Release Notes
https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx	Vendor Advisory
https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/	Technical Description

Configurations

Configuration 1 (hide)

cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*

History

29 Jan 2024, 17:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:autolabproject:autolab::::::::
References	~~() https://github.com/autolab/Autolab/releases/tag/v2.12.0 -~~	() https://github.com/autolab/Autolab/releases/tag/v2.12.0 - Release Notes
References	~~() https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx -~~	() https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx - Vendor Advisory
References	~~() https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ -~~	() https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/ - Technical Description

22 Jan 2024, 19:10

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-22 15:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-44395

Mitre link : CVE-2023-44395

CVE.ORG link : CVE-2023-44395

JSON object : View

Products Affected

autolabproject

autolab

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-44395", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2024-01-22T15:15:08.037", "references": [{"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["Technical Description"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite a los profesores ofrecer tareas de programaci\u00f3n con calificaci\u00f3n autom\u00e1tica a sus estudiantes a trav\u00e9s de la Web. Se descubrieron vulnerabilidades de path traversal en la funcionalidad de evaluaci\u00f3n de Autolab en versiones de Autolab anteriores a la 2.12.0, mediante las cuales los instructores pueden realizar lecturas de archivos arbitrarias. La versi\u00f3n 2.12.0 contiene un parche. No existen workarounds viables para este problema."}], "lastModified": "2024-01-29T17:33:31.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1C7D024-2BC5-4EB3-8FF6-006C25BBAFFD", "versionEndExcluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}