Veracode Vulnerability DatabaseVERACODE:43914Directory Traversal
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
25.6%
github.com/arduino/arduino-create-agent is vulnerable to Directory Traversal. When the attacker has access to the localhost interface, they can send a specially crafted HTTP DELETE request to the /v2/pkgs/tools/installed endpoint, specifying the path of the file or folder that they want to delete. The Arduino Create Agent will then delete the file or folder, even if the attacker does not have permission to do so.
References
github.com/advisories/GHSA-mjq6-pv9c-qppq
github.com/arduino/arduino-create-agent/commit/9a500b4e7c41f677c77c869b71e1a524f822866d
github.com/arduino/arduino-create-agent/pull/844
github.com/arduino/arduino-create-agent/releases/tag/1.3.3
github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq
www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
25.6%