CVE-2023-40050

CVSS V2 None CVSS V3 None

Description

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

Overview

CVE ID
CVE-2023-40050

Assigner
ProgressSoftware

Vulnerability Status
PUBLISHED

Published Version
2023-10-31T14:07:59.881Z

Last Modified Date
2023-10-31T14:07:59.881Z

Weakness Enumerations

CWE	URL
CWE-94	http://cwe.mitre.org/data/definitions/94.html
CWE-434	http://cwe.mitre.org/data/definitions/434.html

References

Reference URL	Reference Tags
https://docs.chef.io/release_notes_automate/	release-notes
https://docs.chef.io/automate/profiles/	release-notes
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050	vendor-advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-40050
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40050

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 02:19:01				Added to TrackCVE