Lucene search

[email protected]CVE-2011-5098

HistoryOct 03, 2022 - 4:15 p.m.

CVE-2011-5098

2022-10-0316:15:12

CWE-264

[email protected]

web.nvd.nist.gov

cve-2011-5098

chef server

chef

access restriction bypass

remote authenticated users

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.6 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

59.7%

JSON

chef-server-api/app/controllers/clients.rb in Chef Server in Chef before 0.9.20, and 0.10.x before 0.10.6, does not require administrative privileges for creating admin clients, which allows remote authenticated users to bypass intended access restrictions by leveraging read permission for the validation key and executing a knife client create command with the --admin option.

Affected configurations

NVD

Node

opscodechefRange≤0.9.18

opscodechefMatch0.5.1

opscodechefMatch0.5.2

opscodechefMatch0.5.4

opscodechefMatch0.5.6

opscodechefMatch0.6.0

opscodechefMatch0.6.2

opscodechefMatch0.7.2

opscodechefMatch0.7.4

opscodechefMatch0.7.6

opscodechefMatch0.7.8

opscodechefMatch0.7.10

opscodechefMatch0.7.12

opscodechefMatch0.7.14

opscodechefMatch0.8.2

opscodechefMatch0.8.4

opscodechefMatch0.8.6

opscodechefMatch0.8.8

opscodechefMatch0.8.10

opscodechefMatch0.8.12

opscodechefMatch0.8.14

opscodechefMatch0.8.16

opscodechefMatch0.9.0

opscodechefMatch0.9.2

opscodechefMatch0.9.4

opscodechefMatch0.9.6

opscodechefMatch0.9.8

opscodechefMatch0.9.10

opscodechefMatch0.9.12

opscodechefMatch0.9.14

opscodechefMatch0.9.16

opscodechefMatch0.10.0

opscodechefMatch0.10.2

opscodechefMatch0.10.4

CPENameOperatorVersion
opscode:chefopscode chefle0.9.18
opscode:chefopscode chefeq0.5.1
opscode:chefopscode chefeq0.5.2
opscode:chefopscode chefeq0.5.4
opscode:chefopscode chefeq0.5.6
opscode:chefopscode chefeq0.6.0
opscode:chefopscode chefeq0.6.2
opscode:chefopscode chefeq0.7.2
opscode:chefopscode chefeq0.7.4
opscode:chefopscode chefeq0.7.6

CPE	Name	Operator	Version
opscode:chef	opscode chef	le	0.9.18
opscode:chef	opscode chef	eq	0.5.1
opscode:chef	opscode chef	eq	0.5.2
opscode:chef	opscode chef	eq	0.5.4
opscode:chef	opscode chef	eq	0.5.6
opscode:chef	opscode chef	eq	0.6.0
opscode:chef	opscode chef	eq	0.6.2
opscode:chef	opscode chef	eq	0.7.2
opscode:chef	opscode chef	eq	0.7.4
opscode:chef	opscode chef	eq	0.7.6