How severe is CVE-2024-28185?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2024-28185?

This is classified as CWE-59, which is a common weakness in software security.

CVE-2024-28185

CRITICAL Year: 2024

CVSS v3 Score

10.0

Critical

Weakness Type

CWE-59

View all →

Vulnerability Description

Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.

CVE-2024-28189

CRITICAL

CVSS:10.0(Critical)

Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (syml...

CWE-592024

CVE-2024-37143

CRITICAL

CVSS:10.0(Critical)

Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell P...

CWE-592024

CVE-2017-2916

CRITICAL

CVSS:9.9(Critical)

An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an arbitrary file to be overwritt...

CWE-592017

CVE-2018-5225

CRITICAL

CVSS:9.9(Critical)

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (th...

CWE-592018

CVE-2003-1233

CRITICAL

CVSS:9.8(Critical)

Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymboli...

CWE-592003

CVE-2018-1000544

CRITICAL

CVSS:9.8(Critical)

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be e...

CWE-592018

CVE-2024-28185

Vulnerability Description

Related Vulnerabilities

CVE-2024-28189

CVE-2024-37143

CVE-2017-2916

CVE-2018-5225

CVE-2003-1233

CVE-2018-1000544