Unrated severityNVD Advisory· Published Nov 25, 2024· Updated Nov 25, 2024

download_all_submissions allows student to download another student's submissions in Autolab

CVE-2024-53258

Description

Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit 1aa4c769 which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. As a workaround administrators can disable the feature.

Affected products

Autolab/Autolabllm-fuzzy2 versions
>=3.0.0, <3.0.3+ 1 more
- (no CPE)range: >=3.0.0, <3.0.3
- (no CPE)range: >= 3.0.0, before commit 1aa4c7690892fb458d2c61ff86739f368e34769d

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769dmitrex_refsource_MISC
github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000