Publish Advisories

GHSA-883x-6fch-6wjx
GHSA-98hq-4wmw-98w9
GHSA-vf78-3q9f-92g3
GHSA-23rx-79r7-6cpx
GHSA-9rhq-86fm-qxqc
GHSA-c4pg-5ggh-vcpp

Author: advisory-database[bot]

advisories/github-reviewed/2022/01/GHSA-883x-6fch-6wjx/GHSA-883x-6fch-6wjx.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-883x-6fch-6wjx",
-  "modified": "2022-01-18T22:55:47Z",
+  "modified": "2026-01-22T20:31:25Z",
   "published": "2022-01-21T23:39:19Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23683"
+  ],
   "summary": "Trust Boundary Violation due to Incomplete Blacklist in Test Failure Processing in Ares",
   "details": "### Impact\nThis allows an attacker to create special subclasses of `InvocationTargetException` that escape the exception sanitization because JUnit extracts the cause in a trusted context before the exception reaches Ares. This means that arbitrary student code can be executed in a trusted context, and that in turn allows disabling Ares and having full control over the system.\n\n### Patches\nUpdate to version `1.7.6` or later.\n\n### Workarounds\nForbid student classes in trusted packages like, e.g., described in https://github.com/ls1intum/Ares/issues/15#issuecomment-996449371\n\n### References\n_Are there any links users can visit to find out more?_\nNot that I know of.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/ls1intum/Ares/issues\n* Email us, see https://github.com/ls1intum/Ares/security/policy\n\n### Detailed description\nUsing generics, it is possible to throw checked exceptions without a `throws` clause:\n<details>\n<summary>ThrowWithoutThrowsHelper</summary>\n\n```java\npublic class ThrowWithoutThrowsHelper<X extends Throwable>\n{\n    private final X throwable;\n\n    private ThrowWithoutThrowsHelper(X throwable)\n    {\n        this.throwable = throwable;\n    }\n\n    private <R> R throwWithThrows() throws X\n    {\n        throw throwable;\n    }\n\n    public static <R> R throwWithoutThrows(Throwable throwable)\n    {\n        ThrowWithoutThrowsHelper<?> helper = new ThrowWithoutThrowsHelper<Throwable>(throwable);\n        @SuppressWarnings(\"unchecked\")\n        ThrowWithoutThrowsHelper<RuntimeException> helperCasted = (ThrowWithoutThrowsHelper<RuntimeException>) helper;\n        return helperCasted.throwWithThrows();\n    }\n}\n```\n</details>\n\nUsing this, it is possible for a malicious testee to throw an instance of a malicious subclass of `InvocationTargetException` (let's call it `EvilInvocationTargetException`).\n\nThis exception is catched by `org.junit.platform.commons.util.ReflectionUtils::invokeMethod`, which looks like this:\n<details>\n<summary>ReflectionUtils::invokeMethod</summary>\n\n```java\n    public static Object invokeMethod(Method method, Object target, Object... args) {\n        Preconditions.notNull(method, \"Method must not be null\");\n        Preconditions.condition((target != null || isStatic(method)),\n            () -> String.format(\"Cannot invoke non-static method [%s] on a null target.\", method.toGenericString()));\n\n        try {\n            return makeAccessible(method).invoke(target, args);\n        }\n        catch (Throwable t) {\n            throw ExceptionUtils.throwAsUncheckedException(getUnderlyingCause(t));\n        }\n    }\n```\n</details>\n\nThis method calls `getUnderlyingCause` (of the same class), passing to it the catched, malicious exception as an argument.\n<details>\n<summary>ReflectionUtils::getUnderlyingCause</summary>\n\n```java\n    private static Throwable getUnderlyingCause(Throwable t) {\n        if (t instanceof InvocationTargetException) {\n            return getUnderlyingCause(((InvocationTargetException) t).getTargetException());\n        }\n        return t;\n    }\n```\n</details>\n\n`getUnderlyingCause` in turn checks if the passed exception is `instanceof InvocationTargetException`, and if so, calls `getTargetException` on it. `getTargetException` can be overridden by subclasses of `InvocationTargetException`, like the `EvilInvocationTargetException`.\nIf `EvilInvocationTargetException` is in a whitelisted package (for example `de.tum.in.test.api.security.notsealedsubpackage`), `getTargetException` will be called with the entire stack containing only whitelisted frames.\nThis allows the attacker to uninstall the `ArtemisSecurityManager` in `EvilInvocationTargetException::getTargetException`:\n<details>\n<summary>Uninstalling ArtemisSecurityManager</summary>\n\n```java\n\nSecurityManager secman = System.getSecurityManager();\nClass<?> aresSecmanClass = secman.getClass();\nField isPartlyDisabledF = aresSecmanClass.getDeclaredField(\"isPartlyDisabled\");\nisPartlyDisabledF.setAccessible(true);\nisPartlyDisabledF.set(secman, true);\nSystem.setSecurityManager(null);\n```\n</details>\n\nAfter uninstalling `ArtemisSecurityManager`, the attacker is free to do anything expressible in Java; including reading and writing any files, opening network connections, and executing arbitrary shell commands.",
   "severity": [

advisories/github-reviewed/2023/02/GHSA-98hq-4wmw-98w9/GHSA-98hq-4wmw-98w9.json

@@ -1,11 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-98hq-4wmw-98w9",
-  "modified": "2023-02-10T23:52:13Z",
+  "modified": "2026-01-22T20:31:06Z",
   "published": "2023-02-10T23:52:13Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23681"
+  ],
   "summary": "Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox",
-  "details": "### Summary\nBecause of the missing `checkLink(String)` override in the SecurityManager, students can load libraries and execute arbitrary code.\n\n### Details\nUsing `System.load(String)` or `System.loadLibrary​(String)` students can load and execute arbitrary code.\n\n```java\nprivate static native void start(List<String> args);\n\npublic static void main(String[] args) {\n  System.load(new File(\"path_to_lib.so\").getAbsolutePath());\n  start(List.of(args));\n}\n```\n\nAdding this to the security manager (and a translation) should fix the issue:\n```java\n@Override\npublic void checkExec(String cmd) {\n  try {\n    if (enterPublicInterface())\n      return;\n    throw new SecurityException(localized(\"security.error_link\")); //$NON-NLS-1$\n  } finally {\n    exitPublicInterface();\n  }\n}\n```\n\n### PoC\nSee details.\n\n### Impact\nArbitrary code execution.\n",
+  "details": "### Summary\nBecause of the missing `checkLink(String)` override in the SecurityManager, students can load libraries and execute arbitrary code.\n\n### Details\nUsing `System.load(String)` or `System.loadLibrary​(String)` students can load and execute arbitrary code.\n\n```java\nprivate static native void start(List<String> args);\n\npublic static void main(String[] args) {\n  System.load(new File(\"path_to_lib.so\").getAbsolutePath());\n  start(List.of(args));\n}\n```\n\nAdding this to the security manager (and a translation) should fix the issue:\n```java\n@Override\npublic void checkExec(String cmd) {\n  try {\n    if (enterPublicInterface())\n      return;\n    throw new SecurityException(localized(\"security.error_link\")); //$NON-NLS-1$\n  } finally {\n    exitPublicInterface();\n  }\n}\n```\n\n### PoC\nSee details.\n\n### Impact\nArbitrary code execution.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -38,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/ls1intum/Ares/security/advisories/GHSA-98hq-4wmw-98w9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23681"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ls1intum/Ares"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-98hq-4wmw-98w9"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2023/07/GHSA-vf78-3q9f-92g3/GHSA-vf78-3q9f-92g3.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vf78-3q9f-92g3",
-  "modified": "2023-07-25T13:53:42Z",
+  "modified": "2026-01-22T20:30:37Z",
   "published": "2023-07-25T13:53:42Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2024-23687"
+  ],
   "summary": "Hard-coded System User Credentials in Folio Data Export Spring module ",
   "details": "### Impact\nThe module creates a system user that is used to perform internal module-to-module operations.  Credentials for this user are hard-coded in the source code.  This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view and modify configuration including single-sign-on configuration, to read, add and modify user data, and to read and transfer fees/fines in a patron's account.\n\n### Patches\nUpgrade mod-data-export-spring to >=2.0.2, or a 1.5.x version >=1.5.4.\n\n### Workarounds\nNo known workarounds.\n\n### References\nhttps://wiki.folio.org/x/hbMMBw - FOLIO Security Advisory with Upgrade Instructions\nhttps://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446 - Fix",
   "severity": [
@@ -57,10 +59,18 @@
       "type": "WEB",
       "url": "https://github.com/folio-org/mod-data-export-spring/security/advisories/GHSA-vf78-3q9f-92g3"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23687"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/folio-org/mod-data-export-spring/commit/93aff4566bff59e30f4121b5a2bda5b0b508a446"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/folio-org/mod-data-export-spring/commit/cb6785565067a2a90c1e2250c241e5b23214c691"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/folio-org/mod-data-export-spring"
@@ -71,7 +81,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-798"
+    ],
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2023-07-25T13:53:42Z",

advisories/github-reviewed/2024/01/GHSA-23rx-79r7-6cpx/GHSA-23rx-79r7-6cpx.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-23rx-79r7-6cpx",
-  "modified": "2024-01-26T20:28:43Z",
+  "modified": "2026-01-22T20:31:21Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23683"
-  ],
-  "summary": "Sandbox escape in Artemis Java Test Sandbox",
-  "details": "Artemis Java Test Sandbox versions less than 1.7.6 are vulnerable to a sandbox escape when an attacker crafts a special subclass of InvocationTargetException. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.\n\n\n\n\n\n",
+  "withdrawn": "2026-01-22T20:31:21Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Sandbox escape in Artemis Java Test Sandbox",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-883x-6fch-6wjx. This link is maintained to preserve external references.\n\n## Original Description\nArtemis Java Test Sandbox versions less than 1.7.6 are vulnerable to a sandbox escape when an attacker crafts a special subclass of InvocationTargetException. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2024/01/GHSA-9rhq-86fm-qxqc/GHSA-9rhq-86fm-qxqc.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9rhq-86fm-qxqc",
-  "modified": "2025-05-22T21:42:23Z",
+  "modified": "2026-01-22T20:30:28Z",
   "published": "2024-01-20T00:30:27Z",
-  "aliases": [
-    "CVE-2024-23687"
-  ],
-  "summary": "Hard-coded credentials in org.folio:mod-data-export-spring",
-  "details": "Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.",
+  "withdrawn": "2026-01-22T20:30:28Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Hard-coded credentials in org.folio:mod-data-export-spring",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vf78-3q9f-92g3. This link is maintained to preserve external references.\n\n## Original Description\nHard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2024/01/GHSA-c4pg-5ggh-vcpp/GHSA-c4pg-5ggh-vcpp.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c4pg-5ggh-vcpp",
-  "modified": "2024-01-26T20:28:48Z",
+  "modified": "2026-01-22T20:30:53Z",
   "published": "2024-01-19T21:30:36Z",
-  "aliases": [
-    "CVE-2024-23681"
-  ],
-  "summary": "Sandbox escape in Artemis Java Test Sandbox",
-  "details": "Artemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.\n\n\n",
+  "withdrawn": "2026-01-22T20:30:53Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Sandbox escape in Artemis Java Test Sandbox",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-98hq-4wmw-98w9. This link is maintained to preserve external references.\n\n## Original Description\nArtemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.",
   "severity": [
     {
       "type": "CVSS_V3",