CVE-2022-41956

Name of the Vulnerable Software and Affected Versions Autolab versions prior to 2.10.0

Description A file disclosure issue was found in Autolab's remote handin feature, allowing users to submit assignments using paths outside their submission directory and view the file's contents.

Recommendations For versions prior to 2.10.0, update to version 2.10.0 to resolve the issue. As a temporary workaround, ensure the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and do not run Autolab as root (or any user with write access to /). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of local submit in app/controllers/assessment/handin.rb with render(plain: "Feature disabled", status: :bad request) && return.