CVE-2023-44395
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| autolab | Autolab | < 2.12.0 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx
- https://github.com/autolab/Autolab/releases/tag/v2.12.0
- https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx
- https://github.com/autolab/Autolab/releases/tag/v2.12.0
- https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.