Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4x5q-q7wc-q22p: Arduino Create Agent Insufficient Verification of Data Authenticity vulnerability

Impact

The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. Further details are available in the references.

Fixed Version

  • 1.3.3

References

The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.

ghsa
Open in Source
#vulnerability#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-43800

Arduino Create Agent Insufficient Verification of Data Authenticity vulnerability

Package

gomod github.com/arduino/arduino-create-agent (Go)

Affected versions

< 1.3.3

Impact

The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request.
Further details are available in the references.

Fixed Version

  • 1.3.3

References

The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.

References

  • GHSA-4x5q-q7wc-q22p
  • https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3

Published to the GitHub Advisory Database

Oct 18, 2023

Last updated

Oct 18, 2023

Related news

CVE-2023-43800: Insufficient Verification of Data Authenticity

Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa