Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

April 29, 2024 at 06:48AM

Multiple critical security flaws were disclosed in the Judge0 open-source online code execution system, posing a risk of code execution on the target system. The flaws allow a sandbox escape and obtaining root permissions. The vulnerabilities, with CVE scores of 10.0 and 9.1, have been addressed in version 1.13.1 released on April 18, 2024.

From the meeting notes provided, the major takeaways are as follows:

1. Three critical security flaws have been disclosed in the Judge0 open-source online code execution system, allowing adversaries to potentially obtain code execution on the target system.
2. The identified flaws are CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, all of which have high CVSS scores.
3. These vulnerabilities could be exploited to perform sandbox escape, gain root permissions, and execute unsandboxed code on the target machine.
4. The flaws are related to the default configuration of Judge0, specifically in the isolate_job.rb Ruby script, and the use of Docker containers with privileged flags.
5. The vulnerabilities have been addressed in version 1.13.1 released on April 18, 2024, and users are advised to update to the latest version to mitigate potential threats.

I hope this summary accurately captures the key points from the meeting notes. Let me know if you need any further details or information.

Full Article