Lucene search

ProgressSoftwareVULNRICHMENT:CVE-2023-42658

HistoryOct 31, 2023 - 2:08 p.m.

CVE-2023-42658 InSpec Archive Command Vulnerable to Maliciously Crafted Profile

2023-10-3114:08:03

CWE-917

CWE-94

ProgressSoftware

github.com

cve-2023-42658

inspec

archive command

vulnerable

maliciously crafted profile

local command execution

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:chef:inspec:*:*:*:*:*:*:*:*"
    ],
    "vendor": "chef",
    "product": "inspec",
    "versions": [
      {
        "status": "affected",
        "version": "4.0",
        "lessThan": "4.56.58",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "5.0",
        "lessThan": "5.22.29",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658

docs.chef.io/inspec/cli/

docs.chef.io/release_notes_inspec/

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-42658