GHSA-883x-6fch-6wjx: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2024-23683) affects Artemis Java Test Sandbox versions prior to 1.7.6, discovered in January 2024. This security flaw involves a sandbox escape vulnerability that occurs when an attacker crafts a special subclass of InvocationTargetException. The vulnerability allows attackers to execute arbitrary Java code when a victim executes supposedly sandboxed code (GitHub Advisory, NVD).

The vulnerability stems from an incomplete blacklist in test failure processing, where an attacker can create special subclasses of InvocationTargetException that bypass exception sanitization. This occurs because JUnit extracts the cause in a trusted context before the exception reaches Ares. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating local access requirements but high impact potential (GitHub Advisory, NVD).

The exploitation of this vulnerability allows attackers to execute arbitrary Java code with full system control. Once exploited, attackers can disable the ArtemisSecurityManager and gain unrestricted access to perform various malicious actions, including reading and writing files, establishing network connections, and executing arbitrary shell commands (GitHub Advisory).

The primary mitigation is to update to Artemis Java Test Sandbox version 1.7.6 or later, which contains the security fix. As a workaround, organizations can forbid student classes in trusted packages as described in the project's issue tracker (GitHub Release, GitHub Advisory).