CVE-2024-23681

Name of the Vulnerable Software and Affected Versions Artemis Java Test Sandbox versions prior to 1.11.2

Description The issue allows an attacker to escape the sandbox by loading untrusted libraries using System.load or System.loadLibrary. This can lead to arbitrary Java code execution when a victim runs the supposedly sandboxed code. The problem is due to the missing checkLink(String) override in the SecurityManager, which enables students to load libraries and execute arbitrary code. Technical details include the use of System.load(String) or System.loadLibrary(String) to load and execute arbitrary code.

Recommendations For versions prior to 1.11.2, update to version 1.11.2 or later to resolve the issue. As a temporary workaround, consider adding the checkExec(String) override to the SecurityManager to prevent arbitrary code execution. Additionally, restrict the use of System.load and System.loadLibrary functions to minimize the risk of exploitation.