CVE-2024-28185
📋 TL;DR
CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrary files outside the sandbox, potentially leading to remote code execution. Any organization running Judge0 for online code execution services is affected. The vulnerability exists because Judge0 doesn't properly handle symbolic links in the sandbox directory.
💻 Affected Systems
- Judge0
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root access, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution leading to service disruption, data theft, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires the ability to submit code for execution. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.1
Vendor Advisory: https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf
Restart Required: Yes
Instructions:
1. Update Judge0 to version 1.13.1 or later. 2. Pull the latest Docker image if using containers. 3. Restart the Judge0 service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable Judge0 Service
linuxTemporarily disable Judge0 until patching is possible
sudo systemctl stop judge0
sudo docker stop judge0_container
Implement Network Restrictions
linuxRestrict access to Judge0 to trusted IPs only
sudo iptables -A INPUT -p tcp --dport 2358 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2358 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Judge0 from critical systems
- Deploy additional monitoring and alerting for suspicious file writes and symlink creation
🔍 How to Verify
Check if Vulnerable:
Check Judge0 version: if version < 1.13.1, system is vulnerable. Review logs for symlink creation attempts.Check Version:
docker exec judge0_container judge0 --version || check package manager for versionVerify Fix Applied:
Verify Judge0 version is 1.13.1 or later. Test that symlink creation in sandbox directory no longer allows arbitrary file writes.📡 Detection & Monitoring
Log Indicators:
- Multiple symlink creation attempts in /tmp or sandbox directories
- Unexpected file writes outside sandbox boundaries
- Failed sandbox escape attempts
Network Indicators:
- Unusual outbound connections from Judge0 server
- Increased traffic to Judge0 API endpoints
SIEM Query:
source="judge0.logs" AND (event="symlink" OR event="sandbox_violation")🔗 References
- https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L197-L201
- https://github.com/judge0/judge0/commit/846d5839026161bb299b7a35fd3b2afb107992fc
- https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf
- https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L197-L201
- https://github.com/judge0/judge0/commit/846d5839026161bb299b7a35fd3b2afb107992fc
- https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf
