CVE-2023-40050

Опубликовано: 31 окт. 2023

Источник: nvd

CVSS3: 9.9

CVSS3: 8.8

EPSS Низкий

Описание

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

Ссылки

https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050
Vendor Advisory
https://docs.chef.io/automate/profiles/
Product
https://docs.chef.io/release_notes_automate/
Release Notes
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050
Vendor Advisory
https://docs.chef.io/automate/profiles/
Product
https://docs.chef.io/release_notes_automate/
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:chef:automate:*:*:*:*:*:*:*:*

Версия до 4.10.29 (включая)

EPSS

Процентиль: 93%

0.09887

Низкий

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-7fj6-6m8r-4v8h

CVSS3: 9.9

github

больше 2 лет назад

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

EPSS

Процентиль: 93%

0.09887

Низкий

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-94