CVE-2024-28189
Published: 18 April 2024
Summary
CVE-2024-28189 is a critical-severity Link Following (CWE-59) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Judge0 is an open-source online code execution system that runs untrusted code inside an isolated sandbox. The vulnerability exists in the isolate_job component, which invokes the UNIX chown command directly on a file path supplied by user code without first resolving or validating symbolic links. This allows an attacker to supply a symlink that points outside the sandbox, causing chown to operate on arbitrary files on the host filesystem. The issue is tracked as CWE-59 and CWE-61 and was assigned a CVSS score of 10.0.
An unauthenticated remote attacker who can submit code to a Judge0 instance can create the malicious symlink and thereby change ownership of files outside the sandbox. Although the flaw has limited direct impact, it can be chained with the earlier CVE-2024-28185 to fully escape the sandbox and obtain arbitrary code execution on the host. Exploitation requires no special privileges or user interaction.
The vulnerability is fixed in Judge0 version 1.13.1. The project’s security advisories GHSA-3xpw-36v7-2cmg and GHSA-h9g2-45c8-89cf, along with the corresponding commit, describe the symlink-handling flaw and confirm that the chown operation was updated to prevent traversal outside the sandbox. The EPSS score has remained at 0.5758 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25312
Vulnerability details
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing…
more
the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.