Upload profile either
through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
check command with maliciously crafted profile allows remote code execution.
References
Link | Resource |
---|---|
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050 | Vendor Advisory |
https://docs.chef.io/automate/profiles/ | Product |
https://docs.chef.io/release_notes_automate/ | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: ProgressSoftware
Published: 2023-10-31T14:07:59.881Z
Updated: 2023-10-31T14:07:59.881Z
Reserved: 2023-08-08T19:44:41.112Z
Link: CVE-2023-40050
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-10-31T15:15:09.227
Modified: 2023-11-08T17:34:25.577
Link: CVE-2023-40050
JSON object: View
Redhat Information
No data.