CVE-2023-40050

Summary

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

Affected Software

VendorProductVersion RangeStatus
Progress Software CorporationChef Automate4.0.0 <= 4.10.29affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

Workarounds

Workaround (optional): Chef recommends all users to manually inspect and lint with a tool similar to test-kitchen all profiles and cookbooks prior to usage in production.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References