VYPR
Unrated severityNVD Advisory· Published Jan 14, 2023· Updated Aug 3, 2024

Autolab is vulnerable to file disclosure via remote handin feature

CVE-2022-41956

Description

Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab's remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file's contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as root (or any user that has write access to /). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of local_submit in app/controllers/assessment/handin.rb with render(plain: "Feature disabled", status: :bad_request) && return.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Autolab/Autolabllm-fuzzy2 versions
    <2.10.0+ 1 more
    • (no CPE)range: <2.10.0
    • (no CPE)range: <= 2.9.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.