CVE-2023-40050 — CRITICAL (9.9)

Q: How severe is CVE-2023-40050?

CVE-2023-40050 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-40050?

Check the references section above for vendor advisories and patch information. Affected products include: Chef Automate.

Vulnerability Description

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Chef	Automate	<= 4.10.29

Related Weaknesses (CWE)

CWE-94 CWE-434

References

https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEVendor Advisory
https://docs.chef.io/automate/profiles/Product
https://docs.chef.io/release_notes_automate/Release Notes
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEVendor Advisory
https://docs.chef.io/automate/profiles/Product
https://docs.chef.io/release_notes_automate/Release Notes

FAQ

What is CVE-2023-40050?

CVE-2023-40050 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. ...

How severe is CVE-2023-40050?

CVE-2023-40050 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-40050?

Check the references section above for vendor advisories and patch information. Affected products include: Chef Automate.