April 30, 2024 at 01:33PM
Three critical-severity vulnerabilities in the Judge0 open source service enable sandbox escapes and complete host machine takeovers. The flaws impact versions before 1.13.1 and can lead to code execution outside the sandbox, privilege escalation, and full system access. While version 1.13.1 addresses the issues, the potential for exploitation via other methods remains.
Key Takeaways from the Meeting Notes:
– Cybersecurity firm Tanto Security has identified three critical-severity vulnerabilities in the Judge0 open source service.
– These vulnerabilities could allow attackers to perform sandbox escapes and completely take over the host machine.
– The vulnerabilities affect Judge0 versions prior to 1.13.1 and are documented as CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021.
– Each vulnerability is explained in detail, highlighting the potential impact and exploitability by attackers.
– Judge0 version 1.13.1 resolves all three vulnerabilities, but Tanto Security believes that the underlying command execution issue might still exist and could be exploitable using other methods.
– Users with self-hosted Judge0 instances are advised to update to version 1.13.1 as soon as possible.
Additionally, it’s important to note that Judge0 is an online service for executing arbitrary code inside a secure sandbox and is used by more than 20 customers. There are over 300 self-hosted instances currently online, with paid options available for clients seeking additional features.
Related vulnerabilities in other systems and applications have also been mentioned in the notes for context.