Miggo Logo
Miggo Vulnerability Database
CVE-2023-43116

CVE-2023-43116:
Buildkite Elastic CI for AWS symbolic link following vulnerability

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-43116
GHSA ID
GHSA-7c44-7j7v-w554
EPSS Score
0.26825%
CWE
CWE-59
Published
12/22/2023
Updated
1/3/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/buildkite/elastic-ci-stack-for-aws/v6go< 6.7.06.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the script's handling of the PIPELINE_PATH variable. The pre-patch code (shown in the diff) directly executed '/bin/chown -R' on the constructed path without checking for symlinks. The patch added critical validations: 1) realpath check to prevent symlink resolution, 2) directory existence check, and 3) early exit for non-existent paths. The vulnerable code path was the unconditional chown execution after basic existence check, which didn't account for symlink manipulation. The script's sudo permissions made this particularly dangerous as it could be exploited for privilege escalation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* sym*oli* link *ollowin* vuln*r**ility in *uil*kit* *l*sti* *I *or *WS v*rsions prior to *.*.* *n* *.**.* *llows t** *uil*kit*-***nt us*r to ***n** own*rs*ip o* *r*itr*ry *ir**tori*s vi* t** PIP*LIN*_P*T* v*ri**l* in t** *ix-*uil*kit*-***nt-*uil*s-p

Reasoning

T** vuln*r**ility st*ms *rom t** s*ript's **n*lin* o* t** PIP*LIN*_P*T* v*ri**l*. T** pr*-p*t** *o** (s*own in t** *i**) *ir**tly *x**ut** '/*in/**own -R' on t** *onstru*t** p*t* wit*out ****kin* *or symlinks. T** p*t** ***** *riti**l v*li**tions: *)