cbcvebase.
CVE-2024-28185
published 2024-04-18

CVE-2024-28185: Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be…

PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
7.06%
93.4th percentile
Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.

Affected

1 ranges
VendorProductVersion rangeFixed in
judge0judge0<= 1.13.0

Detection & IOCsextracted from sources · hover to see the quote

pathrun_script
  • Monitor for symbolic link creation (symlink) at the path `run_script` inside Judge0 sandbox directories, which may indicate exploitation of CVE-2024-28185.
  • Alert on file writes to unexpected paths outside the sandbox directory originating from the Judge0 process, particularly writes to system scripts, as this indicates successful sandbox escape.
  • A public Metasploit module exists for this vulnerability class (judge0_sandbox_escape); monitor for exploitation attempts against Judge0 HTTP endpoints.
  • ·The vulnerability requires the attacker to be able to place files (specifically a symlink named `run_script`) inside the sandbox directory prior to submission execution, implying some level of write access to the sandbox is a prerequisite.
  • ·The Metasploit module references CVE-2024-28189 in its filename despite being associated with this vulnerability class; analysts should verify CVE mapping when triaging detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.