Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Judge0 vulnerable to Sandbox Escape Patch Bypass via chown running on Symbolic Link
Vulnerability Description
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
CWE-61
Vulnerability Title
Judge0 CE 安全漏洞
Vulnerability Description
Judge0 CE是Judge0开源的一个开源在线代码执行系统。 Judge0 CE 1.13.1之前版本存在安全漏洞,该漏洞源于应用程序对沙箱内不受信任的文件使用 UNIX 命令,攻击者利用该漏洞可以创建指向沙箱外部文件的符号链接在沙箱外执行代码。
CVSS Information
N/A
Vulnerability Type
N/A