CVE-2024-29021
📋 TL;DR
Judge0's default configuration is vulnerable to Server-Side Request Forgery (SSRF) leading to sandbox escape. Attackers with API access can achieve root-level code execution on the host machine. This affects all Judge0 deployments using vulnerable versions with default settings.
💻 Affected Systems
- Judge0
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise: attacker gains root access on the host machine, enabling data theft, lateral movement, and persistent backdoor installation.
Likely Case
Unauthorized code execution with root privileges, allowing complete control over the Judge0 server and potential access to internal network resources.
If Mitigated
Limited to Judge0 service disruption if proper network segmentation and access controls prevent SSRF exploitation.
🎯 Exploit Status
Exploitation requires API access but is straightforward once access is obtained. Public advisory includes technical details enabling weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.1
Vendor Advisory: https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr
Restart Required: Yes
Instructions:
1. Backup current Judge0 configuration and data. 2. Update Judge0 to version 1.13.1 using your package manager or from source. 3. Restart the Judge0 service. 4. Verify the update with version check.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict Judge0's network access to prevent SSRF exploitation
iptables -A OUTPUT -p tcp -m owner --uid-owner judge0 -j DROP
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 port port=any protocol=tcp drop'
API Access Restriction
allImplement strict authentication and rate limiting for Judge0 API
# Configure in Judge0 settings: enable authentication, set rate limits
# Use reverse proxy like nginx with auth and limit_req modules
🧯 If You Can't Patch
- Implement strict network segmentation: isolate Judge0 instance from internal networks and internet
- Deploy web application firewall (WAF) with SSRF protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Judge0 version: if version < 1.13.1, system is vulnerable. Review isolate_job.rb lines 203-230 for vulnerable code patterns.Check Version:
judge0 --version or check Gemfile.lock for judge0 versionVerify Fix Applied:
Confirm version is 1.13.1 or higher. Test SSRF attempts should fail with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual isolate process creations
- SSRF attempts to internal endpoints in logs
- Root privilege escalation attempts
Network Indicators:
- Judge0 making unexpected outbound connections
- Traffic to internal services from Judge0 host
SIEM Query:
source="judge0" AND (event="isolate_execution" OR event="network_request") AND dest_ip!=external🔗 References
- https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230
- https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr
- https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230
- https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr
