8.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-98hq-4wmw-98w9

EPSS Score

CWE

CWE-284

Published

2/10/2023

Updated

2/24/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-98hq-4wmw-98w9

GHSA-98hq-4wmw-98w9: Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox

Summary

Because of the missing checkLink(String) override in the SecurityManager, students can load libraries and execute arbitrary code.

Details

Using System.load(String) or System.loadLibrary(String) students can load and execute arbitrary code.

private static native void start(List<String> args);

public static void main(String[] args) {
  System.load(new File("path_to_lib.so").getAbsolutePath());
  start(List.of(args));
}

Adding this to the security manager (and a translation) should fix the issue:

@Override
public void checkExec(String cmd) {
  try {
    if (enterPublicInterface())
      return;
    throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$
  } finally {
    exitPublicInterface();
  }
}

PoC

See details.

Impact

Arbitrary code execution.

(GitHub Advisory)

8.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-98hq-4wmw-98w9

EPSS Score

CWE

CWE-284

Published

2/10/2023

Updated

2/24/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
de.tum.in.ase:artemis-java-test-sandbox	maven	< 1.11.2	1.11.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because the custom SecurityManager in the sandbox does not override checkLink(String), which is required to restrict library loading. System.load and System.loadLibrary are standard Java methods that trigger checkLink checks. Without proper access control in checkLink, these methods allow students to load malicious native libraries containing arbitrary code. The advisory explicitly identifies these methods as the exploitation vectors, and their presence in student-accessible code makes them vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry ****us* o* t** missin* `****kLink(Strin*)` ov*rri** in t** S**urityM*n***r, stu**nts **n lo** li*r*ri*s *n* *x**ut* *r*itr*ry *o**. ### **t*ils Usin* `Syst*m.lo**(Strin*)` or `Syst*m.lo**Li*r*ry(Strin*)` stu**nts **n lo** *n* *x**ut* *r

Reasoning

T** vuln*r**ility *ris*s ****us* t** *ustom `S**urityM*n***r` in t** s*n**ox *o*s not ov*rri** `****kLink(Strin*)`, w*i** is r*quir** to r*stri*t li*r*ry lo**in*. `Syst*m.lo**` *n* `Syst*m.lo**Li*r*ry` *r* st*n**r* J*v* m*t*o*s t**t tri***r `****kLin

8.3

Basic Information

Concerned about an active attack path?

GHSA-98hq-4wmw-98w9: Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox

Summary

Details

PoC

Impact

8.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI