CVE-2024-28185
Published: 18 April 2024
Summary
CVE-2024-28185 is a critical-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Judge0 is an open-source online code execution system that fails to handle symbolic links inside its sandbox directory. When processing a submission, the application writes a run_script file to the sandbox via an f.write operation in isolate_job.rb; an attacker-supplied symlink at that path causes the write to target an arbitrary location on the host filesystem instead. The flaw is tracked as CVE-2024-28185, carries a CVSS 3.1 score of 10.0, and is associated with CWE-59 and CWE-61.
An unauthenticated remote attacker can place the symlink before code execution begins, overwrite system scripts or binaries, and obtain code execution outside the intended sandbox. The attack requires only the ability to submit code and does not depend on user interaction or elevated privileges within the application.
The project’s GitHub Security Advisory GHSA-h9g2-45c8-89cf and the corrective commit 846d5839026161bb299b7a35fd3b2afb107992fc document the issue and supply the patch that prevents symlink traversal during the run_script write. The current EPSS score of 0.6502 has remained at its observed peak since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25309
Vulnerability details
Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.…
more
When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.