CVE-2010-5142 – chef

Package

Manager: gem
Name: chef
Vulnerable Version: >=0 <0.9.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00391 pctl0.59381

Details

Chef Improper Access Control vulnerability `chef-server-api/app/controllers/users.rb` in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

Metadata

Created: 2022-05-17T05:26:20Z
Modified: 2024-02-09T21:53:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-f68m-q26r-64f6
Finding: F039
Auto approve: 1