Path traversal in Arduino Create Agent
CVE-2023-43803

6.1MEDIUM

Key Information:

Vendor

Arduino

Status
Arduino-create-agent
Vendor
CVE Published:
18 October 2023

What is CVE-2023-43803?

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version 1.3.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

arduino-create-agent < 1.3.3

References

https://github.com/arduino/arduino-create-agent/security/...
x_refsource_CONFIRM
https://github.com/arduino/arduino-create-agent/releases/...
x_refsource_MISC
https://www.nozominetworks.com/blog/security-flaws-affect...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.