Insufficient Verification of Data Authenticity in Arduino Create Agent
CVE-2023-43800

7.3HIGH

Key Information:

Vendor

Arduino

Status
Arduino-create-agent
Vendor
CVE Published:
18 October 2023

What is CVE-2023-43800?

The Arduino Create Agent, a tool for managing Arduino development, has a vulnerability affecting the /v2/pkgs/tools/installed endpoint. This issue can be exploited by an attacker who can send crafted HTTP POST requests to the localhost interface or bypass CORS configuration, potentially escalating privileges to that of the user running the Arduino Create Agent service. To mitigate this security risk, users are strongly advised to upgrade to version 1.3.3, as no workarounds exist for this issue.

Affected Version(s)

arduino-create-agent < 1.3.3

References

https://github.com/arduino/arduino-create-agent/security/...
x_refsource_CONFIRM
https://github.com/arduino/arduino-create-agent/releases/...
x_refsource_MISC
https://www.nozominetworks.com/blog/security-flaws-affect...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.