CVE-2024-23682

Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.

Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-227w-wv4j-67h4. This link is maintained to preserve external references. ## Original Description Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.

### Impact This affects all Artemis users who test Java assignments. **Ares is not required.** Students code that gets automatically tested can run arbitrary code in the container, or arbitrary code on the machine of an assessor in case of manual correction. ### Patches The problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows: ```xml <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-no-student-code-in-trusted-packages</id> <phase>process-classes</phase> <goals> <goal>enforce</goal> </goals> </execution> </executions> <configuration> <rules> <requireFilesDontExist> <files> <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --> </files> </requireFilesDontExist> </rules> </configuration> </plugin> ``` This fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well. ### For more information If you have any questions or comments about this advisory: * Open a discussion https://github.com/ls1intum/Ares/discussions * Open an issue in https://github.com/ls1intum/Ares/issues * Email us, see https://github.com/ls1intum/Ares/security/policy ### References See the assignment of Julius that passes the tests in TUM Artemis course: "Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests" (if that still exists in 2022). Also see #15 for almost the same problem.

Las versiones de Artemis Java Test Sandbox anteriores a 1.8.0 son vulnerables a un escape de la sandbox cuando un atacante incluye archivos de clase en un paquete en el que Ares confía. Un atacante puede abusar de este problema para ejecutar Java arbitrario cuando una víctima ejecuta el código supuestamente aislado.