AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-41956: Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that en

mediumvulnerability

security

Source: NVD/CVE DatabaseJanuary 14, 2023CVE-2022-41956

Summary

Autolab, a web-based course management system for programming assignments, had a file disclosure vulnerability (a security flaw that lets unauthorized people read files they shouldn't access) in its remote handin feature. Attackers could submit assignments using file paths outside their intended directory and then view those files to see their contents.

Solution / Mitigation

The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the remote handin path field is empty (Edit Assessment > Advanced > Remote handin path), do not run Autolab as `root` (a user with full system permissions), and do not run it as any user with write access to `/` (the root directory). Alternatively, disable the remote handin feature by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.4%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-22

CAPEC (Attack Pattern)

CAPEC-126

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-41956

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%