CVE-2023-44395 - Vulnerability Details - OpenCVE

Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Autolabproject	Autolab

Configuration 1 [-]

cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/autolab/Autolab/releases/tag/v2.12.0
https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx
https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T14:51:14.371Z

Updated: 2024-08-23T19:18:41.408Z

Reserved: 2023-09-28T17:56:32.614Z

Link: CVE-2023-44395

Vulnrichment

Updated: 2024-08-02T20:07:33.190Z

NVD

Status : Modified

Published: 2024-01-22T15:15:08.037

Modified: 2024-11-21T08:25:48.913

Link: CVE-2023-44395

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-44395", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-28T17:56:32.614Z", "datePublished": "2024-01-22T14:51:14.371Z", "dateUpdated": "2024-08-23T19:18:41.408Z"}, "containers": {"cna": {"title": "Autolab has Path Traversal vulnerability in Assessment functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["x_refsource_MISC"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}], "affected": [{"vendor": "autolab", "product": "Autolab", "versions": [{"version": "< 2.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T14:51:14.371Z"}, "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}], "source": {"advisory": "GHSA-h8wq-ghfq-5hfx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:07:33.190Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-23T19:09:39.273104Z", "id": "CVE-2023-44395", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T19:18:41.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:07:33.190Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-44395", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-23T19:09:39.273104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T19:18:35.472Z"}}], "cna": {"title": "Autolab has Path Traversal vulnerability in Assessment functionality", "source": {"advisory": "GHSA-h8wq-ghfq-5hfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "autolab", "product": "Autolab", "versions": [{"status": "affected", "version": "< 2.12.0"}]}], "references": [{"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "name": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "name": "https://github.com/autolab/Autolab/releases/tag/v2.12.0", "tags": ["x_refsource_MISC"]}, {"url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "name": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T14:51:14.371Z"}}}, "cveMetadata": {"cveId": "CVE-2023-44395", "state": "PUBLISHED", "dateUpdated": "2024-08-23T19:18:41.408Z", "dateReserved": "2023-09-28T17:56:32.614Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-22T14:51:14.371Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1C7D024-2BC5-4EB3-8FF6-006C25BBAFFD", "versionEndExcluding": "2.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. Path traversal vulnerabilities were discovered in Autolab's assessment functionality in versions of Autolab prior to 2.12.0, whereby instructors can perform arbitrary file reads. Version 2.12.0 contains a patch. There are no feasible workarounds for this issue."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite a los profesores ofrecer tareas de programaci\u00f3n con calificaci\u00f3n autom\u00e1tica a sus estudiantes a trav\u00e9s de la Web. Se descubrieron vulnerabilidades de path traversal en la funcionalidad de evaluaci\u00f3n de Autolab en versiones de Autolab anteriores a la 2.12.0, mediante las cuales los instructores pueden realizar lecturas de archivos arbitrarias. La versi\u00f3n 2.12.0 contiene un parche. No existen workarounds viables para este problema."}], "id": "CVE-2023-44395", "lastModified": "2024-11-21T08:25:48.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-22T15:15:08.037", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/autolab/Autolab/releases/tag/v2.12.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-h8wq-ghfq-5hfx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://www.stackhawk.com/blog/rails-path-traversal-guide-examples-and-prevention/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}