Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-m5jc-r4gf-c6p8: Arduino Create Agent path traversal - arbitrary file deletion vulnerability

Impact

The vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. Further details are available in the references.

Fixed Version

  • 1.3.3

References

The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.

ghsa
Open in Source
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-43803

Arduino Create Agent path traversal - arbitrary file deletion vulnerability

Package

gomod github.com/arduino/arduino-create-agent (Go)

Affected versions

< 1.3.3

Impact

The vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input.
A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request.
Further details are available in the references.

Fixed Version

  • 1.3.3

References

The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.

References

  • GHSA-m5jc-r4gf-c6p8
  • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3

Published to the GitHub Advisory Database

Oct 18, 2023

Last updated

Oct 18, 2023

Related news

CVE-2023-43803: Path traversal - arbitrary file deletes

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability
ghsa