CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-42658 – InSpec Archive Command Vulnerable to Maliciously Crafted Profile
https://notcve.org/view.php?id=CVE-2023-42658
31 Oct 2023 — Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile. El comando de archivo en Chef InSpec anteriores a 4.56.58 y 5.22.29 permite la ejecución de comandos locales a través de un perfil creado con fines malintencionados. • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 9.9EPSS: 9%CPEs: 1EXPL: 0CVE-2023-40050 – Automate Vulnerable to Malicious Content Uploaded Through Embedded Compliance Application
https://notcve.org/view.php?id=CVE-2023-40050
31 Oct 2023 — Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. Cargue el perfil a través de API o interfaz de usuario en Chef Automate antes de la versión 4.10.29 incluida utilizando el comando de verificación InSpec con un perfil creado con fines malintencionados que permite la ejecución remota de código. Upload profile either through API or user interface in Chef Automate ... • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8559
https://notcve.org/view.php?id=CVE-2015-8559
21 Sep 2017 — The knife bootstrap command in chef Infra client before version 15.4.45 leaks the validator.pem private RSA key to /var/log/messages. El comando knife bootstrap en el cliente chef Infra antes de la versión 15.4.45 filtra la clave RSA privada validator.pem a /var/log/messages • http://www.openwall.com/lists/oss-security/2015/12/14/14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 2%CPEs: 11EXPL: 0CVE-2017-7174
https://notcve.org/view.php?id=CVE-2017-7174
17 Mar 2017 — The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 allows remote attackers to execute arbitrary code. This is fixed in 2.4.5. La función de creación de cuenta de usuario en Chef Manage 2.1.0 hasta la versión 2.4.4 permite a atacantes remotos ejecutar código arbitrario. Esto se soluciona en la versión 2.4.5. • http://www.securityfocus.com/bid/97069 •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2016-4326
https://notcve.org/view.php?id=CVE-2016-4326
10 Jun 2016 — The Chef Manage (formerly opscode-manage) add-on before 1.12.0 for Chef allows remote attackers to execute arbitrary code via crafted serialized data in a cookie. El add-on Chef Manage (antes opscode-manage) en versiones anteriores a 1.12.0 para Chef permite a atacantes remotos ejecutar código arbitrario a través de datos serializados manipulados en una cookie. • http://www.kb.cert.org/vuls/id/586503 •