CVE-2023-43802: 
Arduino Create Agent vulnerability analysis and mitigation

Arduino Create Agent, a package designed to help manage Arduino development, contains a critical vulnerability identified as CVE-2023-43802. The vulnerability was discovered in versions prior to 1.3.3 and affects the /upload endpoint which handles requests with the filename parameter. This security flaw was disclosed on October 18, 2023, and impacts systems running the Arduino Create Agent service (NVD, GitHub Advisory).

The vulnerability is classified as a Path Traversal (CWE-35) issue with a CVSS v3.1 Base Score of 7.3 (HIGH). The attack vector is local, requiring low attack complexity and low privileges, with no user interaction needed. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L, indicating high impacts on confidentiality and integrity, with low impact on availability (Nozomi Networks).

The vulnerability allows an attacker with local system access to escalate their privileges to match those of the user running the Arduino Create Agent service. This privilege escalation could enable unauthorized users to execute privileged operations that would normally be restricted, such as system shutdown. The impact is particularly significant in engineering workstations accessed by multiple operators with different account levels (Nozomi Networks).

The vulnerability has been addressed in Arduino Create Agent version 1.3.3. Users are strongly advised to upgrade to this version to prevent potential system abuse. There are no known workarounds for this vulnerability other than updating to the patched version (GitHub Release).