CVE-2023-32317

Name of the Vulnerable Software and Affected Versions Autolab versions prior to 2.11.0

Description A Tar slip vulnerability was found in the MOSS cheat checker functionality of Autolab, which is a course management service for auto-graded programming assignments. To exploit this issue, an authenticated attacker with instructor permissions must upload a specially crafted Tar file. Both "Base File Tar" and "Additional file archive" can be exploited with Tar files containing paths outside their target directories, such as ../../../../tmp/tarslipped2.sh. When the MOSS cheat checker is started, the files inside the archives are expanded to attacker-chosen locations, potentially leading to arbitrary file write within the scope of the running process.

Recommendations For versions prior to 2.11.0, upgrade to version 2.11.0 to address the issue. As a temporary workaround, consider restricting the upload of Tar files or limiting the permissions of instructor accounts to minimize the risk of exploitation. Avoid using the "Base File Tar" and "Additional file archive" functionalities with untrusted input until the issue is resolved.