CVE-2023-43741

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-43741

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-43741.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-43741

Aliases

Published

2023-12-22T10:15:11Z

Modified

2025-10-16T10:10:56.797609Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.

References

https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0003.md

Affected packages

Git / github.com/buildkite/elastic-ci-stack-for-aws

Affected ranges

Type: GIT
Repo: https://github.com/buildkite/elastic-ci-stack-for-aws
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f3f9ff8b29696091f5cca05477c0756aa8ad3cee

Affected versions

v1.*

v1.0

v1.1

v1.1.1

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.0.0-rc6

v2.0.0-rc7

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.0-rc1

v2.2.0-rc2

v2.2.0-rc3

v2.2.0-rc4

v2.3.0

v2.3.1

v2.3.5-rc1

v3.*

v3.0.0

v3.0.0-rc1

v3.1.0

v3.1.1

v3.2.0

v3.2.1

v4.*

v4.0.0

v4.0.0-rc1

v4.0.0-rc2

v4.0.0-rc3

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.1.0

v4.2.0

v4.3.0

v4.3.1

v4.3.2

v5.*

v5.0.0

v5.0.0-beta1

v5.1.0

v5.10.0

v5.11.0

v5.11.1

v5.11.2

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.17.0

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.21.0

v5.22.0

v5.22.1

v5.22.2

v5.22.3

v5.22.4

v5.3.0

v5.3.1

v5.3.2

v5.4.0

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.7.0

v5.7.1

v5.7.2

v5.8.0

v5.8.1

v5.9.0