CVE-2023-40050

{"id": "CVE-2023-40050", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-10-31T15:15:09.227", "references": [{"url": "https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://docs.chef.io/automate/profiles/", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://docs.chef.io/release_notes_automate/", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.chef.io/automate/profiles/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.chef.io/release_notes_automate/", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Upload profile either\nthrough API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec\ncheck command with maliciously crafted profile allows remote code execution. \n\n\n\n\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "Cargue el perfil a trav\u00e9s de API o interfaz de usuario en Chef Automate antes de la versi\u00f3n 4.10.29 incluida utilizando el comando de verificaci\u00f3n InSpec con un perfil creado con fines malintencionados que permite la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2024-11-21T08:18:36.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chef:automate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "906C8F59-E452-439A-873A-955FC0BCFF02", "versionEndIncluding": "4.10.29"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}