AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41955: Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that en

highvulnerability

security

Source: NVD/CVE DatabaseJanuary 14, 2023CVE-2022-41955

Summary

Autolab is a web-based course management system that allows instructors to automatically grade programming assignments. A remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) was found in its MOSS feature that could let instructors execute code on the server hosting Autolab.

Solution / Mitigation

The vulnerability has been patched in version 2.10.0. Alternatively, as a workaround, disable the MOSS feature by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.

Vulnerability Details

CVSS Score

8.8(high)

EPSS (30-day exploit probability)

EPSS: 3.9%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-78 CWE-77

CAPEC (Attack Pattern)

CAPEC-88

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41955

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%