CVE-2024-23682: 
Java vulnerability analysis and mitigation

Artemis Java Test Sandbox versions before 1.8.0 contain a sandbox escape vulnerability (CVE-2024-23682) that was discovered in January 2024. The vulnerability affects the testing environment used for Java assignments in Artemis, allowing attackers to include class files in packages that Ares trusts (GitHub Advisory).

The vulnerability has a CVSS v3.1 base score of 8.2 (High severity) with the following metrics: Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: Required, Scope: Changed, and all impact metrics (Confidentiality, Integrity, and Availability) rated as High. The vulnerability is associated with CWE-501 and CWE-653, relating to trust boundary violations and insufficient compartmentalization (GitHub Advisory, AttackerKB).

The vulnerability affects all Artemis users who test Java assignments, even without requiring Ares. When exploited, it allows student code that gets automatically tested to execute arbitrary code within the container. In cases of manual correction, it can lead to arbitrary code execution on the assessor's machine (GitHub Advisory).

The vulnerability has been patched in version 1.8.0 of the Artemis Java Test Sandbox. For additional protection, it is recommended to use the Maven Enforcer Plugin to prevent student classes from residing in trusted packages. The plugin should be configured to fail the build if student code is detected in packages that Ares trusts (GitHub Advisory).