CVE-2010-5142 - OpenCVE

chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Opscode	Chef

Configuration 1 [-]

OR	cpe:2.3:a:opscode:chef::::::::
	cpe:2.3:a:opscode:chef:0.7.2:::::::*
	cpe:2.3:a:opscode:chef:0.7.4:::::::*
	cpe:2.3:a:opscode:chef:0.7.6:::::::*
	cpe:2.3:a:opscode:chef:0.7.8:::::::*
	cpe:2.3:a:opscode:chef:0.7.10:::::::*
	cpe:2.3:a:opscode:chef:0.7.12:::::::*
	cpe:2.3:a:opscode:chef:0.7.14:::::::*
	cpe:2.3:a:opscode:chef:0.8.2:::::::*
	cpe:2.3:a:opscode:chef:0.8.4:::::::*
	cpe:2.3:a:opscode:chef:0.8.6:::::::*
	cpe:2.3:a:opscode:chef:0.8.8:::::::*

References

Link	Resource
http://tickets.opscode.com/browse/CHEF-1289
https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:21:03

Updated: 2022-10-03T16:21:03

Reserved: 2022-10-03T00:00:00

Link: CVE-2010-5142

JSON object: View

NVD Information

Status : Analyzed

Published: 2012-08-08T10:26:17.503

Modified: 2012-08-13T04:00:00.000

Link: CVE-2010-5142

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:21:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://tickets.opscode.com/browse/CHEF-1289"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-5142", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8", "refsource": "CONFIRM", "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"name": "http://tickets.opscode.com/browse/CHEF-1289", "refsource": "CONFIRM", "url": "http://tickets.opscode.com/browse/CHEF-1289"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-5142", "datePublished": "2022-10-03T16:21:03", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:21:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opscode:chef:*:*:*:*:*:*:*:*", "matchCriteriaId": "56BED2E7-173C-4990-AD1E-061B006C0083", "versionEndIncluding": "0.8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "4303E45B-3CC7-4F86-9AA3-9DE9E340DDB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "2DE318AD-5737-453F-90B9-449A3593887E", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "D0FB009E-708B-41BE-98E3-0548204A594A", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.8:*:*:*:*:*:*:*", "matchCriteriaId": "C369798E-2499-4DD5-8C13-F7A3D0BCAED9", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.10:*:*:*:*:*:*:*", "matchCriteriaId": "E247C8C9-7404-4920-9CA8-91316483CF01", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.12:*:*:*:*:*:*:*", "matchCriteriaId": "0189B6A3-9D58-40D7-BB42-101A600B5014", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.14:*:*:*:*:*:*:*", "matchCriteriaId": "97B55226-BC34-4060-A37D-8317B8BFB43B", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "E624C53F-1755-4E88-B575-1AB92781A06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "DAA73864-4852-47D9-9EB9-A2AD654D0BAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.6:*:*:*:*:*:*:*", "matchCriteriaId": "112F8AEB-9DD0-4A68-B69C-B677BE373DAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.8:*:*:*:*:*:*:*", "matchCriteriaId": "9C6B61EE-2F0D-49DC-ADFD-D0A25A21B8B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}, {"lang": "es", "value": "chef-server-api/app/controllers/users.rb en la API en Chef anterior a v0.9.0 no requieren privilegios administrativos para crear, destruir, y m\u00e9todos de actualizaci\u00f3n, que permite a usuarios remotos autenticados administrar cuentas de usuario a trav\u00e9s de solicitudes a los usuarios URI."}], "id": "CVE-2010-5142", "lastModified": "2012-08-13T04:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-08-08T10:26:17.503", "references": [{"source": "cve@mitre.org", "url": "http://tickets.opscode.com/browse/CHEF-1289"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}