CVE-2024-49376: 
Ruby vulnerability analysis and mitigation

Autolab, a course management service that enables auto-graded programming assignments, was discovered to have a vulnerability in version 3.0.0 related to misconfigured reset password permissions. The vulnerability was disclosed on October 25, 2024, and assigned CVE-2024-49376. The issue affects email-based accounts in Autolab version 3.0.0 (GitHub Advisory).

The vulnerability stems from misconfigured reset password permissions that allow users with insufficient privileges to reset passwords. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-287 (Improper Authentication) (NVD).

The vulnerability allows users with insufficient privileges to potentially access privileged users' accounts by resetting their passwords. This could lead to unauthorized access to administrative accounts and compromise the security of the course management system (GitHub Advisory).

The vulnerability has been fixed in Autolab version 3.0.1. No known workarounds exist for affected versions. Users are advised to upgrade to version 3.0.1 or later to address this security issue (GitHub Advisory).