cbcvebase.
CVE-2020-13144
published 2020-05-18

CVE-2020-13144: Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.96%
95.3th percentile
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
edxopen_edx_platform
imagemagickimagemagick>= 0 < 8:6.8.9.9-7ubuntu5.16+esm28:6.8.9.9-7ubuntu5.16+esm2

Detection & IOCsextracted from sources · hover to see the quote

url/edx-studio
commandimport os os.system("thecommandyouwanttoexecute")
  • Monitor for Python os.system() or subprocess calls originating from the Open edX Studio web application process, which would indicate exploitation of the Custom Python evaluated code component.
  • Alert on authenticated HTTP requests navigating the path: Create New course > New section > New subsection > New unit > Add new component > Problem button > Advanced tab > Custom Python evaluated code, as this is the specific UI path used to reach the vulnerable code execution point.
  • Detect exploitation by monitoring for unexpected child processes (e.g. shell commands) spawned by the edxapp/LMS or Studio web server process, particularly when CodeJail sandboxing is absent.
  • ·This vulnerability is only exploitable when CodeJail is NOT configured/enforced. Deployments with CodeJail properly enabled are not affected.
  • ·Exploitation requires an authenticated user account; unauthenticated attackers cannot reach the vulnerable endpoint.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.