CVE-2023-43800

EPSS 0.03%
Veröffentlicht 18.10.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 08:24:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Arduino ≫ Create Agent SwPlatformgo Version < 1.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.083

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	1.8	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3

https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide

https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-43800

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-43800

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-43800

EUVD