Affected software: CloudLinux CageFS, unknown version (old vulnerability from around 2016, I no longer have original report)
CloudLinux CageFS can be bypassed by running
-f parameter pointing to a file to read and then displaying job contents.
-f argument is not filtered by proxyexec before executing
at outside CageFS, allowing user inside CageFS to read files outside CageFS.
$ at -f /etc/passwd 00:00 $ at -c JOB_NUMBER
Update CageFS to unaffected version. Check if
-f parameter is filtered in
Unknown (old vulnerability from around 2016, I no longer have original report, it was fixed around 2016).