Time-of-check Time-of-use (TOCTOU) Race Condition

CVE-2023-43741

High

7/10

Summary

A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 5.22.5, and 6.0.x prior to 6.7.1 allows the buildkite-agent user to bypass a symbolic link check for the "PIPELINE_PATH" variable in the "fix-buildkite-agent-builds-permissions script".

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

Advisory
POC/Exploit
Release Note
Pull request

Advisory Timeline

Published Dec 22, 2023

Time-of-check Time-of-use (TOCTOU) Race Condition

CVE-2023-43741

Summary

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS