CVE-2024-23682

HIGH8.2EPSS 0.28%

Class Loading Vulnerability in Artemis

Published: 2/9/2022Modified: 2/4/2026
Also known as:GHSA-227w-wv4j-67h4

Description

### Impact This affects all Artemis users who test Java assignments. **Ares is not required.** Students code that gets automatically tested can run arbitrary code in the container, or arbitrary code on the machine of an assessor in case of manual correction. ### Patches The problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows: ```xml <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>3.0.0</version> <executions> <execution> <id>enforce-no-student-code-in-trusted-packages</id> <phase>process-classes</phase> <goals> <goal>enforce</goal> </goals> </execution> </executions> <configuration> <rules> <requireFilesDontExist> <files> <!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --> </files> </requireFilesDontExist> </rules> </configuration> </plugin> ``` This fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well. ### For more information If you have any questions or comments about this advisory: * Open a discussion https://github.com/ls1intum/Ares/discussions * Open an issue in https://github.com/ls1intum/Ares/issues * Email us, see https://github.com/ls1intum/Ares/security/policy ### References See the assignment of Julius that passes the tests in TUM Artemis course: "Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests" (if that still exists in 2022). Also see #15 for almost the same problem.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.2CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (7)