CVE-2023-32317— Autolab 路径遍历漏洞

Autolab tar slip in cheat checker functionality (`GHSL-2023-082`)

Autolab is a course management service that enables auto-graded programming assignments. A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab. To exploit this vulnerability an authenticated attacker with instructor permissions needs to upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be fed with Tar files that contain paths outside their target directories (e.g., `../../../../tmp/tarslipped2.sh`). When the MOSS cheat checker is started the files inside of the archives are expanded to the attacker-chosen locations. This issue may lead to arbitrary file write within the scope of the running process. This issue has been addressed in version 2.11.0. Users are advised to upgrade.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

对路径名的限制不恰当(路径遍历)

Autolab 路径遍历漏洞

Autolab是一项课程管理服务。支持自动评分的编程作业。 Autolab 2.10.0及之前版本存在安全漏洞，该漏洞源于在 Autolab 的 MOSS功能中发现了 Tar slip 漏洞，攻击者利用该漏洞可以上传特制的 Tar 文件。

N/A

N/A