CVE-2023-43800: 
Arduino Create Agent vulnerability analysis and mitigation

CVE-2023-43800 affects the Arduino Create Agent, a package designed to help manage Arduino development, up to version 1.3.2. The vulnerability was discovered in the endpoint /v2/pkgs/tools/installed. The issue was reported by Nozomi Networks Labs and was patched in version 1.3.3 released on October 18, 2023 (GitHub Release, Vendor Advisory).

The vulnerability is classified as CWE-345 (Insufficient Verification of Data Authenticity) with a CVSS v3.1 Base Score of 7.3 HIGH (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). The vulnerability allows a user who can perform HTTP requests to the localhost interface or bypass the CORS configuration to escalate their privileges to those of the user running the Arduino Create Agent service through a crafted HTTP POST request (Vendor Advisory).

The vulnerability can lead to privilege escalation, allowing an attacker to execute arbitrary code on the system in the context of the Arduino Create Agent service. The impact severity depends on the workstation configuration where the Arduino Create Agent service is running. This scenario is particularly concerning in engineering workstations accessed by multiple operators with different accounts (Nozomi Networks).

Users are advised to upgrade to Arduino Create Agent version 1.3.3 or later, which contains the fix for this vulnerability. The update is available for download from the official repository. There are no known workarounds for this issue (GitHub Release, Nozomi Networks).