Juliuskreutz

**Name of the Vulnerable Software and Affected Versions** Artemis Java Test Sandbox versions prior to 1.8.0 **Description** The issue allows an attacker to escape the sandbox by including class files in a package that Ares trusts, enabling the execution of arbitrary Java code when a victim runs the supposedly sandboxed code. This affects all Artemis users who test Java assignments, potentially allowing students' code to run arbitrary code in the container or on the machine of an assessor during manual correction. **Recommendations** For Artemis Java Test Sandbox versions prior to 1.8.0, use the Maven Enforcer Plugin to fail the build if student classes reside in packages that Ares trusts. Configure the plugin as follows: ```xml <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-no-student-code-in-trusted-packages</id> <phase>process-classes</phase> <goals> <goal>enforce</goal> </goals> </execution> </executions> <configuration> <rules> <requireFilesDontExist> <files> <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --> </files> </requireFilesDontExist> </rules> </configuration> </plugin> ``` Add trusted packages specified by Ares using `@AddTrustedPackage` to the configuration.