CVE-2024-52584

Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda	Patch
https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*

History

21 Jan 2025, 17:55

Type	Values Removed	Values Added
First Time		Autolabproject Autolabproject autolab
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:autolabproject:autolab:3.0.1:::::::*
References	~~() https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda -~~	() https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda - Patch
References	~~() https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr -~~	() https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr - Vendor Advisory

Information

Published : 2024-11-18 21:15

Updated : 2025-01-21 17:55

NVD link : CVE-2024-52584

Mitre link : CVE-2024-52584

CVE.ORG link : CVE-2024-52584

JSON object : View

Products Affected

autolabproject

autolab

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-52584", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 4.9, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-18T21:15:07.047", "references": [{"url": "https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Existe una vulnerabilidad en la versi\u00f3n 3.0.1 en la que los CA pueden ver o editar la calificaci\u00f3n de cualquier ID de env\u00edo, incluso si no son CA de la clase que tiene el env\u00edo. Los endpoints solo verifican que los CA tengan el nivel de autorizaci\u00f3n de un CA de la clase en el endpoint, que no es necesariamente la clase a la que est\u00e1 asociado el env\u00edo. La versi\u00f3n 3.0.2 contiene un parche. No hay workarounds disponibles."}], "lastModified": "2025-01-21T17:55:15.340", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7DE5B67-FBCC-47C8-B03B-40B45F66A5B9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}