skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
December 7, 2023

GHSL-2022-100: Path traversal vulnerability and remote code execution (RCE) vulnerability in Autolab - CVE-2022-41955,CVE-2022-41956

Peter Stöckli

Coordinated Disclosure Timeline


Two vulnerabilities were found in Autolab:

These issues are listed in detail below.



Tested Version



Issue 1: File disclosure due to path traversal (GHSL-2022-100)

Autolab provides the possibility to allow submissions of students via a so-called remote handin feature. Handins submitted with this feature are copied from a path that is accessible to the running Autolab instance. In practice the remote handin path will probably be located in a directory of a shared drive. The endpoint for such submissions allows unauthenticated attackers to hand-in assignments for registered users using paths outside of their submission directory. The value of the submit parameter is passed to the saveHandin module method without futher sanitization or verification. The contents of the corresponding files of the submitted file paths could then be viewed by users viewing “their” submissions.

Proof of Concept


  1. Remote handin path needs to be set
  2. Handin directory inside remote handin path for a user must exist in the form: <email>_remote_handin_<assessment-name> (This seems to be a general precondition for making the remote handin feature work)
  3. At least one email address of a user that is registered to any course and assigment

The attacker then simply needs to construct an URL in this form and call it via GET request:



Afterwards the attacker can view or download the contents of the desired file (e.g., /etc/passwd) in the “Handin History” of the assessment.


This issue may lead to Information Disclosure.


Issue 2: Authenticated Remote Code Execution (GHSL-2022-124)

Autolab provides the functionality to check submissions for plagiarism using MOSS (Measure Of Software Similarity). The Moss Cheat Checker can be run by instructors with sufficient permissions. The parameters max_lines and language_selection both flow unsanitized through several (1, 2, 3) different join operations before flowing into a command execution sink. Using this vulnerability an attacker might gain control over the server running Autolab.

This vulnerability was discovered with the help of CodeQL’s Uncontrolled command line query.

Proof of Concept


  1. Attacker needs to be logged in as instructor
  2. There needs to be an existing course where the instructor has access permissions

This vulnerability can simply be exploited by using a browser and navigating to:


After selecting an assignment, the checkbox “Max Lines” needs to be enabled and instead of providing a valid number of lines a shell command such as | touch /tmp/pwned.txt | can be provided. (Which will then create the file /tmp/pwned.txt after clicking “GO!”).

To manipulate the language_selection parameter in the same way a browser inspection tools or a tool like curl can be used to manufacture the desired requests.


This issue may lead to Remote Code Execution (RCE).




This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).


You can contact the GHSL team at, please include a reference to GHSL-2022-100 in any communication regarding this issue.