CVE-2024-48920
📋 TL;DR
This vulnerability in PutongOJ online judging software allows unprivileged users to escalate privileges by constructing malicious requests. Attackers can gain admin-level access, potentially compromising sensitive data and system integrity. All users running PutongOJ versions prior to 2.1.0-beta.1 are affected.
💻 Affected Systems
- PutongOJ
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative privileges, access all user data, modify system configurations, and potentially execute arbitrary code.
Likely Case
Unauthorized users gain administrative access to the judging platform, allowing them to view sensitive data, modify contests, and manipulate scoring systems.
If Mitigated
With proper network segmentation and access controls, impact is limited to the PutongOJ application instance only.
🎯 Exploit Status
Exploitation requires authenticated user access but no special privileges. The advisory suggests constructing specific requests to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.1.0-beta.1
Vendor Advisory: https://github.com/acm309/PutongOJ/security/advisories/GHSA-gj6h-73c5-xw6f
Restart Required: Yes
Instructions:
1. Download PutongOJ v2.1.0-beta.1 from GitHub releases. 2. Replace existing installation with new version. 3. Restart the PutongOJ service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Manual patch application
allApply the specific commit that fixes the vulnerability without upgrading the entire version
git apply 211dfe9ebf1c6618ce5396b0338de4f9b580715e.patch
🧯 If You Can't Patch
- Implement strict network access controls to limit PutongOJ access to trusted users only
- Monitor for unusual administrative activity and implement additional authentication for privileged operations
🔍 How to Verify
Check if Vulnerable:
Check PutongOJ version. If version is earlier than 2.1.0-beta.1, the system is vulnerable.Check Version:
Check the PutongOJ web interface or configuration files for version informationVerify Fix Applied:
Verify the version is 2.1.0-beta.1 or later and test that unprivileged users cannot perform admin operations.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- User accounts performing admin operations without prior admin history
- Multiple failed authorization attempts followed by successful admin access
Network Indicators:
- HTTP requests containing privilege escalation patterns
- Unusual API calls from non-admin users to admin endpoints
SIEM Query:
source="putongoj" AND (event_type="privilege_escalation" OR user_role_changed="admin")