CVE-2024-28185

Name of the Vulnerable Software and Affected Versions Judge0 (affected versions not specified)

Description The issue concerns an open-source online code execution system. It does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, the system writes a run script to the sandbox directory. An attacker can create a symbolic link (symlink) at the path run script before this code is executed, resulting in the f.write writing to an arbitrary file on the unsandboxed system. This can be used to overwrite scripts on the system and gain code execution outside of the sandbox.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.