Judge0 online execution system has critical sandbox escape vulnerabilites
Take action: If you are using Judge0 remote execution environment, patch ASAP. Your system is used by multiple developers, and even if you trust them all, a mistake or phishing attack can happen.
Learn More
The Judge0 online code execution system, used in educational and software development contexts for running code remotely, hasseveral critical security flaws that could allow attackers to gain unauthorized access and control over the system.
-
CVE-2024-28185 (CVSS score 10): This vulnerability arises from the application's failure to properly handle symlinks within the sandbox directory. Attackers can exploit this by creating a symlink that points to arbitrary files outside the sandbox, enabling them to modify those files and potentially execute code outside the sandbox environment.
-
CVE-2024-28189 (CVSS score 10): This is a patch bypass vulnerability for CVE-2024-28185, exploiting the UNIX chown command on an untrusted file within the sandbox. This can be abused to change ownership of files outside the sandbox by linking them via symlinks, thus extending the attacker’s control outside the intended isolated environment.
-
CVE-2024-29021 (CVSS score 9.1): Exploits a default configuration vulnerability that allows for a sandbox escape through Server-Side Request Forgery (SSRF). This enables an attacker with access to the Judge0 API to execute unsandboxed code as root on the target machine.
Following the responsible disclosure of these vulnerabilities, the developers of Judge0 have released an updated version (1.13.1) on April 18, 2024, which addresses these security flaws. Users of the Judge0 system are strongly advised to upgrade to version 1.13.1 .
