Cyber Resilience

CVE-2024-29021

Critical

Published: 18 April 2024

Published
18 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0163 82.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29021 is a critical-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain…

more

unsandboxed code execution as root on the target machine. This vulnerability is fixed in 1.13.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-1393

Changing default authenticators prior to first use prevents use of default passwords.

addresses: CWE-1393

Requires authentication that meets guidelines, avoiding default passwords for cryptographic module access.

addresses: CWE-1393

Threat awareness programs disseminate botnet and scanning activity tied to default passwords, driving organizations to change or enforce non-default credentials before mass exploitation occurs.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References