CVE-2024-23683: 
Java vulnerability analysis and mitigation

Artemis Java Test Sandbox versions less than 1.7.6 contain a sandbox escape vulnerability (CVE-2024-23683) that was discovered in January 2024. The vulnerability affects the de.tum.in.ase/artemis-java-test-sandbox package from the Maven package manager, allowing attackers to escape the sandbox environment through a specially crafted subclass of InvocationTargetException (CVE Details, FortiGuard).

The vulnerability occurs when an attacker crafts a special subclass of InvocationTargetException that can bypass exception sanitization. This is possible because JUnit extracts the cause in a trusted context before the exception reaches Ares. The vulnerability exploits the way JUnit's ReflectionUtils.getUnderlyingCause handles InvocationTargetException instances, allowing malicious code to execute in a trusted context (GitHub Advisory).

When successfully exploited, this vulnerability allows an attacker to execute arbitrary Java code when a victim executes supposedly sandboxed code. The attacker can gain full control over the system, including the ability to disable the ArtemisSecurityManager, which enables reading and writing files, opening network connections, and executing arbitrary shell commands (GitHub Advisory).

The primary mitigation is to update to version 1.7.6 or later of the Artemis Java Test Sandbox. As a workaround, organizations can forbid student classes in trusted packages as described in the project's issue tracker. The fix in version 1.7.6 includes blacklisting ReflectionUtils.getUnderlyingCause in the invocation process (GitHub Release).