GHSA-227w-wv4j-67h4

Опубликовано: 09 фев. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.2

Описание

Class Loading Vulnerability in Artemis

Impact

This affects all Artemis users who test Java assignments. Ares is not required. Students code that gets automatically tested can run arbitrary code in the container, or arbitrary code on the machine of an assessor in case of manual correction.

Patches

The problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:

<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-no-student-code-in-trusted-packages</id> <phase>process-classes</phase> <goals> <goal>enforce</goal> </goals> </execution> </executions> <configuration> <rules> <requireFilesDontExist> <files>  </files> </requireFilesDontExist> </rules> </configuration> </plugin>

This fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using @AddTrustedPackage should be added as well.

For more information

If you have any questions or comments about this advisory:

Open a discussion https://github.com/ls1intum/Ares/discussions
Open an issue in https://github.com/ls1intum/Ares/issues
Email us, see https://github.com/ls1intum/Ares/security/policy

References

See the assignment of Julius that passes the tests in TUM Artemis course: "Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests" (if that still exists in 2022).

Also see #15 for almost the same problem.

Ссылки

Пакеты

Наименование

de.tum.in.ase:artemis-java-test-sandbox

maven

Затронутые версииВерсия исправления

< 1.8.0

1.8.0

8.2 High

CVSS3

Дефекты

CWE-501

CWE-653

8.2 High

CVSS3

Дефекты

CWE-501

CWE-653