CVE-2023-43741

Name of the Vulnerable Software and Affected Versions Buildkite Elastic CI for AWS versions prior to 6.7.1 Buildkite Elastic CI for AWS version 5.22.5

Description A time-of-check-time-of-use race condition issue allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE PATH variable in the fix-buildkite-agent-builds-permissions script.

Recommendations For versions prior to 6.7.1, update to version 6.7.1 or later. For version 5.22.5, update to a version later than 5.22.5. As a temporary workaround, consider restricting access to the fix-buildkite-agent-builds-permissions script until a patch is available. Avoid using the PIPELINE PATH variable in the affected script until the issue is resolved.