SecurityWeek reports that online open-source service Judge0 used for arbitrary code execution within a sandbox has been impacted by three critical vulnerabilities, which could be leveraged to facilitate sandbox escapes, privilege escalation, and system takeovers.
First of the identified security issues is the maximum severity bug, tracked as CVE-2024-28185, which could allow script overwriting and the complete compromise of the Judge0 system, including its internal networks, database, webserver, and other apps, according to an advisory from Tanto Security.
Another maximum severity bug, tracked as CVE-2024-28189, could be exploited to enable arbitrary file command execution outside the sandbox while the last vulnerability, a server-side request forgery flaw, tracked as CVE-2024-29021, could allow threat actors to replace certain columns' datatypes to perform command injection and code execution on the Docker container, according to Tanto Security.
Organizations using Judge0 versions prior to 1.13.1 have been urged to immediately update their instances to prevent potential exploitation.