CVE-2023-43800

Name of the Vulnerable Software and Affected Versions Arduino Create Agent versions prior to 1.3.3

Description The issue affects the endpoint "/v2/pkgs/tools/installed". A user who can perform HTTP requests to the localhost interface, or bypass the CORS configuration, can escalate privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request.

Recommendations For versions prior to 1.3.3, upgrade to version 1.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/v2/pkgs/tools/installed" endpoint until the upgrade is applied.