CVE-2023-43801: 
Arduino Create Agent vulnerability analysis and mitigation

The vulnerability (CVE-2023-43801) affects the Arduino Create Agent, a package designed to help manage Arduino development, specifically in version 1.3.2 and earlier. The vulnerability exists in the endpoint /v2/pkgs/tools/installed and its handling of plugin names supplied as user input. The issue was discovered and reported by Nozomi Networks Labs and was disclosed on October 18, 2023 (Nozomi Blog, GitHub Advisory).

The vulnerability is classified as a Path Traversal (CWE-22) issue with a CVSS v3.1 Base Score of 6.1 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L). The vulnerability requires local access to exploit, has low attack complexity, requires low privileges, and needs no user interaction. The scope is unchanged, with no impact on confidentiality but high impact on integrity and low impact on availability (GitHub Advisory).

A user who has the ability to perform HTTP requests to the localhost interface, or can bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. The vulnerability could be exploited by either a physical user or malware with local privileges running on the system (Nozomi Blog).

The vulnerability has been addressed in version 1.3.3 of the Arduino Create Agent. Users are advised to upgrade to this version, which is available for download from the official repository. There are no known workarounds for this issue (GitHub Release).