Three critical-severity vulnerabilities in the Judge0 open source service could allow attackers to perform sandbox escapes and completely take over the host machine, according to a warning from cybersecurity firm Tanto Security.
The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, three issues that allow attackers to achieve code execution outside the sandbox and escalate their privileges to completely take over the Judge0 system.
The company said CVE-2024-28185 (CVSS 10/10) exists because the application does not account for symlinks stored in the sandbox directory, allowing an attacker to create the symlink and exploit a Judge0 function where a run_script is written to the sandbox directory when executing a submission.
The flaws allow an attacker to overwrite scripts on the system and execute code on the Docker container running the submission job. The attacker could then escalate their privileges outside the container and gain full access “to the Judge0 system including the database, internal networks, the Judge0 webserver, and any other applications running on the Linux host.”
Tanto Security said CVE-2024-28189 (CVSS 10/10) exists because the UNIX chown command is used on an untrusted file within the sandbox. By creating a symlink to a file outside the sandbox, an attacker could run the command on arbitrary files outside of the sandbox.
According to Tanto Security’s Daniel Cooper, CVE-2024-28189 is effectively a bypass for the patch Judge0 rolled out for CVE-2024-28185. Once the attacker can run the chown command, the exploitation follows the same path.
The third bug – CVE-2024-29021 (CVSS 9.1/10 ) – exists because a configuration option allows applications to perform network requests such as communicating with Judge0’s PostgreSQL database. A server-side request forgery (SSRF) bug allows an attacker to connect to the database and change the datatype of specific columns to achieve command injection and execute code on the Docker container.
While Judge0 version 1.13.1 resolves all three vulnerabilities, Cooper believes the underlying command execution issue might still exist, likely exploitable using other venues. Users with self-hosted Judge0 instances are advised to update as soon as possible.
An online service for executing arbitrary code inside a secure sandbox, Judge0 supports the development of applications that require online code execution, such as programming, ecommerce, and recruitment platforms, online code editors, and more.
Judge0 says it is used by more than 20 customers, with over 300 self-hosted instances currently online, with paid options available for clients who want additional features.
Related: Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking
Related: OpenMetadata Flaws Exploited to Abuse Kubernetes Clusters
Related: US Gov Urges Software Makers to Eliminate SQL Injection Vulnerabilities