CVE-2023-32676

Name of the Vulnerable Software and Affected Versions Autolab versions prior to 2.11.0

Description A Tar slip vulnerability was found in the Install assessment functionality of Autolab, a course management service for auto-graded programming assignments. To exploit this issue, an authenticated attacker with instructor permissions must upload a specially crafted Tar file. The vulnerability allows an attacker to feed a Tar file containing files with paths pointing outside the target directory, such as ../../../../tmp/tarslipped1.sh. When the Install assessment form is submitted, the files inside the archives are expanded to attacker-chosen locations.

Recommendations For versions prior to 2.11.0, upgrade to version 2.11.0 to address the issue. As a temporary workaround, consider restricting the upload of Tar files or limiting the use of the Install assessment functionality until the upgrade is applied. Restrict access to the Install assessment form to minimize the risk of exploitation. Avoid using the Install assessment functionality with untrusted Tar files until the issue is resolved.