Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNjhtLXEyNnItNjRmNs4AAfmQ
Chef Improper Access Control vulnerability
chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNjhtLXEyNnItNjRmNs4AAfmQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
Identifiers: GHSA-f68m-q26r-64f6, CVE-2010-5142
References:
- https://nvd.nist.gov/vuln/detail/CVE-2010-5142
- https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8
- http://tickets.opscode.com/browse/CHEF-1289
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/chef/CVE-2010-5142.yml
- https://github.com/advisories/GHSA-f68m-q26r-64f6
Blast Radius: 0.0
Affected Packages
rubygems:chef
Dependent packages: 532Dependent repositories: 10,030
Downloads: 24,484,648 total
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.7.10, 0.7.12, 0.7.14, 0.7.16, 0.8.2, 0.8.4, 0.8.6, 0.8.8, 0.8.10, 0.8.14, 0.8.16
All unaffected versions: 0.9.0, 0.9.2, 0.9.4, 0.9.6, 0.9.8, 0.9.10, 0.9.12, 0.9.14, 0.9.16, 0.9.18, 0.10.0, 0.10.2, 0.10.4, 0.10.6, 0.10.8, 0.10.10, 10.12.0, 10.14.0, 10.14.2, 10.14.4, 10.16.0, 10.16.2, 10.16.4, 10.16.6, 10.18.0, 10.18.2, 10.20.0, 10.22.0, 10.24.0, 10.24.4, 10.26.0, 10.28.0, 10.28.2, 10.30.2, 10.30.4, 10.32.2, 10.34.0, 10.34.2, 10.34.4, 10.34.6, 11.0.0, 11.2.0, 11.4.0, 11.4.2, 11.4.4, 11.6.0, 11.6.2, 11.8.0, 11.8.2, 11.10.0, 11.10.2, 11.10.4, 11.12.0, 11.12.2, 11.12.4, 11.12.8, 11.14.2, 11.14.6, 11.16.0, 11.16.2, 11.16.4, 11.18.0, 11.18.6, 11.18.12, 12.0.0, 12.0.1, 12.0.3, 12.1.0, 12.1.1, 12.1.2, 12.2.1, 12.3.0, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.5.1, 12.6.0, 12.7.2, 12.8.1, 12.9.38, 12.9.41, 12.10.24, 12.11.18, 12.12.13, 12.12.15, 12.13.30, 12.13.37, 12.14.60, 12.14.77, 12.14.89, 12.15.19, 12.16.42, 12.17.44, 12.18.31, 12.19.33, 12.19.36, 12.20.3, 12.21.1, 12.21.4, 12.21.10, 12.21.12, 12.21.14, 12.21.20, 12.21.26, 12.21.31, 12.22.1, 12.22.3, 12.22.5, 13.0.113, 13.0.118, 13.1.31, 13.2.20, 13.3.42, 13.4.19, 13.4.24, 13.5.3, 13.6.0, 13.6.4, 13.7.16, 13.8.0, 13.8.3, 13.8.5, 13.9.1, 13.9.4, 13.10.0, 13.10.4, 13.11.3, 13.12.3, 13.12.14, 14.0.190, 14.0.202, 14.1.1, 14.1.12, 14.2.0, 14.3.37, 14.4.56, 14.5.27, 14.5.33, 14.6.47, 14.7.17, 14.8.12, 14.9.13, 14.10.9, 14.11.21, 14.12.3, 14.12.9, 14.13.11, 14.14.14, 14.14.25, 14.14.29, 14.15.6, 15.0.293, 15.0.298, 15.0.300, 15.1.36, 15.2.20, 15.3.14, 15.4.45, 15.5.9, 15.5.15, 15.5.16, 15.5.17, 15.6.10, 15.7.30, 15.7.31, 15.7.32, 15.8.23, 15.9.17, 15.10.12, 15.11.3, 15.11.8, 15.12.22, 15.13.8, 15.14.0, 15.15.0, 15.16.2, 15.16.4, 15.16.7, 15.17.4, 16.0.257, 16.0.275, 16.0.287, 16.1.0, 16.1.16, 16.2.44, 16.2.50, 16.2.73, 16.3.38, 16.3.45, 16.4.35, 16.4.38, 16.4.41, 16.5.64, 16.5.77, 16.6.14, 16.7.61, 16.8.9, 16.8.14, 16.9.16, 16.9.17, 16.9.20, 16.9.29, 16.9.32, 16.10.8, 16.10.17, 16.11.7, 16.12.3, 16.13.16, 16.14.1, 16.15.22, 16.16.7, 16.16.13, 16.17.4, 16.17.18, 16.17.39, 16.17.51, 16.18.0, 16.18.30, 17.0.242, 17.1.35, 17.2.29, 17.3.48, 17.4.25, 17.4.38, 17.5.22, 17.6.15, 17.6.18, 17.7.22, 17.7.29, 17.8.25, 17.9.18, 17.9.26, 17.9.42, 17.9.46, 17.9.52, 17.10.0, 17.10.68, 17.10.95, 17.10.114, 17.10.122, 18.0.169, 18.0.185, 18.1.0, 18.1.29, 18.2.7, 18.3.0, 18.4.2, 18.4.12