Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNWhnLTM0OXEtbWcycc4AA3_u
Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability
A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.
Permalink: https://github.com/advisories/GHSA-r5hg-349q-mg2qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNWhnLTM0OXEtbWcycc4AA3_u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 4 months ago
CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r5hg-349q-mg2q, CVE-2023-43741
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43741
- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md
- https://github.com/buildkite/elastic-ci-stack-for-aws/commit/edad0b158ea10a6647bb1c84629d93f5c3d8770e
- https://github.com/advisories/GHSA-r5hg-349q-mg2q
Blast Radius: 1.0
Affected Packages
go:github.com/buildkite/elastic-ci-stack-for-aws/v6
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 6.7.1
Fixed in: 6.7.1
All affected versions: 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0
All unaffected versions: 6.7.1, 6.8.0, 6.9.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.15.0, 6.16.0, 6.17.0, 6.18.0, 6.19.0, 6.20.0