CVE-2023-42658

Summary

Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.

Affected Software

VendorProductVersion RangeStatus
Progress Software CorporationChef InSpec4.0.0 < 4.56.58affected
Progress Software CorporationChef InSpec5.0.0 < 5.22.29affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
  • CWE-917: CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Workarounds

Workaround (optional): Chef recommends all users to manually inspect and lint with a tool similar to test-kitchen all profiles and cookbooks prior to usage in production.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References