CVE-2024-29021
CRITICALJudge0 <=1.13.0 - Server-Side Request Forgery Sandbox Escape to Root
Title source: manualDescription
Judge0 is an open-source online code execution system. The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). This allows an attacker with sufficient access to the Judge0 API to obtain unsandboxed code execution as root on the target machine. This vulnerability is fixed in 1.13.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr
Various Sources x_refsource_misc
https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230
Scores
CVSS v3
9.0
EPSS
0.2018
EPSS Percentile
97.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1393
CWE-918
Status
published
Products (1)
judge0/judge0
<= 1.13.0
Published
Apr 18, 2024
Tracked Since
Feb 18, 2026