Arduino Create Agent Insufficient Verification of Data Authenticity vulnerability
High severity
GitHub Reviewed
Published
Oct 18, 2023
in
arduino/arduino-create-agent
•
Updated Nov 11, 2023
Package
Affected versions
< 1.3.3
Patched versions
1.3.3
Description
Published to the GitHub Advisory Database
Oct 18, 2023
Reviewed
Oct 18, 2023
Published by the National Vulnerability Database
Oct 18, 2023
Last updated
Nov 11, 2023
Impact
The vulnerability affects the endpoint
/v2/pkgs/tools/installed
. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request.Further details are available in the references.
Fixed Version
1.3.3
References
The issue was reported by Nozomi Networks Labs. Further details are available at the following URL:
References