CVE-2024-23683

Name of the Vulnerable Software and Affected Versions Artemis Java Test Sandbox versions less than 1.7.6

Description The issue allows an attacker to create special subclasses of InvocationTargetException that escape the exception sanitization. This enables arbitrary student code to be executed in a trusted context, allowing the attacker to disable security measures and gain full control over the system. The attacker can abuse this issue to execute arbitrary Java code when a victim executes the supposedly sandboxed code.

Recommendations Update to version 1.7.6 or later. As a temporary workaround, consider forbidding student classes in trusted packages. Restrict access to trusted packages like de.tum.in.test.api.security.notsealedsubpackage to minimize the risk of exploitation. Avoid using the InvocationTargetException exception in the affected code until the issue is resolved.