Artemis Java Test Sandbox Class Loading Escape
Description
Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Artemis Java Test Sandbox before 1.8.0 allows sandbox escape via trusted packages, enabling arbitrary code execution.
Vulnerability
Artemis Java Test Sandbox (Ares) versions before 1.8.0 contain a sandbox escape vulnerability. The issue arises because Ares trusts certain Java packages, and an attacker can include malicious class files in those trusted packages, bypassing the security manager's restrictions [1][2].
Exploitation
An attacker who can supply Java class files (e.g., as part of a student submission) places them in a package that Ares trusts. When a victim—such as a student running tests or an assessor performing manual correction—executes the supposedly sandboxed code, the malicious classes are loaded with elevated privileges, escaping the sandbox [3].
Impact
Successful exploitation allows arbitrary Java code execution within the sandbox context. This can lead to full compromise of the test container or the assessor's machine, depending on the deployment [3].
Mitigation
The vulnerability is patched in Ares version 1.8.0 [4]. For users who cannot upgrade immediately, a workaround using the Maven Enforcer Plugin to detect student classes in trusted packages is described in the security advisory [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
de.tum.in.ase:artemis-java-test-sandboxMaven | < 1.8.0 | 1.8.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-227w-wv4j-67h4ghsathird-party-advisoryADVISORY
- github.com/ls1intum/Ares/security/advisories/GHSA-227w-wv4j-67h4ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-23682ghsaADVISORY
- vulncheck.com/advisories/vc-advisory-GHSA-227w-wv4j-67h4ghsathird-party-advisoryWEB
- github.com/ls1intum/Ares/issues/15ghsaissue-trackingWEB
- github.com/ls1intum/Ares/releases/tag/1.8.0ghsarelatedWEB
News mentions
0No linked articles in our index yet.