CVE-2023-43741

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-43741
A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.

7.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md Exploit Third Party Advisory
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:buildkite:elastic_ci_stack:*:*:*:*:*:aws:*:*
cpe:2.3:a:buildkite:elastic_ci_stack:*:*:*:*:*:aws:*:*
History

21 Nov 2024, 08:24

Type Values Removed Values Added
Summary (es) Una vulnerabilidad de condición de ejecución de time-of-check-time-of-use en Buildkite Elastic CI para versiones de AWS anteriores a 6.7.1 y 5.22.5 permite al usuario de buildkite-agent omitir una verificación de enlace simbólico para la variable PIPELINE_PATH en el script -buildkite-agent-build-permissions. (es) Una vulnerabilidad de condición de ejecución de time-of-check-time-of-use en Buildkite Elastic CI para versiones de AWS anteriores a 6.7.1 y 5.22.5 permite al usuario de buildkite-agent omitir una verificación de enlace simbólico para la variable PIPELINE_PATH en el script fix-buildkite-agent-builds-permissions.
References () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md - Exploit, Third Party Advisory () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md - Exploit, Third Party Advisory

03 Jan 2024, 02:33

Type Values Removed Values Added
CPE cpe:2.3:a:buildkite:elastic_ci_stack:*:*:*:*:*:aws:*:*
References () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md - () https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md - Exploit, Third Party Advisory
First Time Buildkite elastic Ci Stack
Buildkite
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.0
CWE CWE-367

22 Dec 2023, 12:18

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de condición de ejecución de time-of-check-time-of-use en Buildkite Elastic CI para versiones de AWS anteriores a 6.7.1 y 5.22.5 permite al usuario de buildkite-agent omitir una verificación de enlace simbólico para la variable PIPELINE_PATH en el script -buildkite-agent-build-permissions.

22 Dec 2023, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-22 10:15

Updated : 2024-11-21 08:24

NVD link : CVE-2023-43741

Mitre link : CVE-2023-43741

CVE.ORG link : CVE-2023-43741

JSON object : View

Products Affected

buildkite

  • elastic_ci_stack
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition