{"id":"GHSA-227w-wv4j-67h4","summary":"Class Loading Vulnerability in Artemis","details":"### Impact\nThis affects all Artemis users who test Java assignments. **Ares is not required.**\nStudents code that gets automatically tested can run arbitrary code in the container,\nor arbitrary code on the machine of an assessor in case of manual correction.\n\n### Patches\nThe problem cannot be resolved easily in Ares itself. Use the Maven Enforcer Plugin as follows:\n\n```xml\n\u003cplugin\u003e\n    \u003cgroupId\u003eorg.apache.maven.plugins\u003c/groupId\u003e\n    \u003cartifactId\u003emaven-enforcer-plugin\u003c/artifactId\u003e\n    \u003cversion\u003e3.0.0\u003c/version\u003e\n    \u003cexecutions\u003e\n        \u003cexecution\u003e\n            \u003cid\u003eenforce-no-student-code-in-trusted-packages\u003c/id\u003e\n            \u003cphase\u003eprocess-classes\u003c/phase\u003e\n            \u003cgoals\u003e\n                \u003cgoal\u003eenforce\u003c/goal\u003e\n            \u003c/goals\u003e\n        \u003c/execution\u003e\n    \u003c/executions\u003e\n    \u003cconfiguration\u003e\n        \u003crules\u003e\n            \u003crequireFilesDontExist\u003e\n                \u003cfiles\u003e\n                    \u003c!-- ADD HERE THE RULES ARES TELLS YOU ARE MISSING --\u003e\n                \u003c/files\u003e\n            \u003c/requireFilesDontExist\u003e\n        \u003c/rules\u003e\n    \u003c/configuration\u003e\n\u003c/plugin\u003e\n```\n\nThis fails the build if student classes reside in such packages that Ares trusts. Trusted packages added in Ares using `@AddTrustedPackage` should be added as well.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion https://github.com/ls1intum/Ares/discussions\n* Open an issue in https://github.com/ls1intum/Ares/issues\n* Email us, see https://github.com/ls1intum/Ares/security/policy\n\n### References\nSee the assignment of Julius that passes the tests in TUM Artemis course: \"Test - Praktikum: Grundlagen der Programmierung (Testkurs für Tutoren) - Security Tests\" (if that still exists in 2022).\n\nAlso see #15 for almost the same problem.","aliases":["CVE-2024-23682"],"modified":"2026-02-04T03:37:02.284202Z","published":"2022-02-09T22:30:30Z","related":["CVE-2024-23682"],"database_specific":{"github_reviewed":true,"nvd_published_at":null,"cwe_ids":["CWE-501","CWE-653"],"github_reviewed_at":"2022-02-09T22:30:30Z","severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/ls1intum/Ares/security/advisories/GHSA-227w-wv4j-67h4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23682"},{"type":"WEB","url":"https://github.com/ls1intum/Ares/issues/15"},{"type":"PACKAGE","url":"https://github.com/ls1intum/Ares"},{"type":"WEB","url":"https://github.com/ls1intum/Ares/releases/tag/1.8.0"},{"type":"WEB","url":"https://vulncheck.com/advisories/vc-advisory-GHSA-227w-wv4j-67h4"}],"affected":[{"package":{"name":"de.tum.in.ase:artemis-java-test-sandbox","ecosystem":"Maven","purl":"pkg:maven/de.tum.in.ase/artemis-java-test-sandbox"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0"}]}],"versions":["1.0.0","1.0.1","1.1.0","1.1.1","1.2.0","1.2.1","1.2.2","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.6.0","1.7.0","1.7.1","1.7.2","1.7.3","1.7.5","1.7.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-227w-wv4j-67h4/GHSA-227w-wv4j-67h4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}