Create Agent
CVE-2023-43800
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version 1.3.3. Users are advised to upgrade. There are no known workarounds for this issue.
AnalysisAI
Arduino Create Agent is a package to help manage Arduino development. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-345. Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint /v2/pkgs/tools/installed. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version 1.3.3. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Arduino Create Agent.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Create Agent
View allArduino Create Agent is a package to help manage Arduino development. Rated high severity (CVSS 7.8), this vulnerability
Arduino Create Agent is a package to help manage Arduino development. Rated high severity (CVSS 7.1), this vulnerability
Arduino Create Agent is a package to help manage Arduino development. Rated high severity (CVSS 7.1), this vulnerability
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today