botón arriba

CVE

CVE-2023-32676

Severidad:
ALTA
Tipo:
CWE-22 Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
26/05/2023
Última modificación:
05/06/2023

Descripción

*** Pendiente de traducción *** Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the Install assessment functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Using the install assessment functionality an attacker can feed a Tar file that contain files with paths pointing outside of the target directory (e.g., `../../../../tmp/tarslipped1.sh`). When the Install assessment form is submitted the files inside of the archives are expanded to the attacker-chosen locations. This issue has been addressed in version 2.11.0. Users are advised to upgrade.

Productos y versiones vulnerables

  • cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*