CVE-2022-41955

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-41955

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41955.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-41955

Aliases

GHSA-x5r3-vf3p-3269

Published

2023-01-14T00:09:07.032Z

Modified

2026-04-02T08:19:19.944190Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Autolab is vulnerable to remote code execution (RCE) via MOSS functionality

Details

Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of run_moss in app/controllers/courses_controller.rb with render(plain: "Feature disabled", status: :bad_request) && return.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41955.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/autolab/autolab

Affected ranges

Type: GIT
Repo: https://github.com/autolab/autolab
Events: Introduced

cd657951bbf92512d47a61f5551038a4ea4ff479

Fixed

67f6644ae586a6031bb08a94ff04e50181bc8ab3

Affected versions

2.*

2.0.4

2.0.8

2.1.0

2.2.0

2.2.1

v2.*

v2.0.2

v2.0.3

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.2.0

v2.2.1

v2.3.0

v2.4.0

v2.6.0

v2.7.0

v2.8.0

v2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41955.json"