Arduino App Lab has Improper Data Validation in Internal Terminal Interface

Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0.4.0, a vulnerability was identified in the Terminal component of the arduino-app-lab application. The issue stems from insufficient sanitization and validation of input data received from connected hardware devices, specifically in the _info.Serial and _info.Address metadata fields. The problem occurs during device information handling. When a board is connected, the application collects identifying attributes to establish a terminal session. Because strict validation is not enforced for the Serial and Address parameters, an attacker with control over the connected hardware can supply specially crafted strings containing shell metacharacters. The exploitation requires direct physical access to a previously tampered board. When the host system processes these fields, any injected payload is executed with the privileges of the user running arduino-app-lab. This vulnerability is fixed in 0.4.0.

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Arduino App Lab 操作系统命令注入漏洞

Arduino App Lab是Arduino开源的一个用于开发Arduino应用程序的集成开发环境。 Arduino App Lab 0.4.0之前版本存在操作系统命令注入漏洞，该漏洞源于终端组件对来自硬件设备的输入数据清理和验证不足，可能导致执行包含shell元字符的特制字符串。

N/A

N/A