CVE-2023-28864

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-28864
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28864.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28864
Downstream
Published
2023-07-17T20:15:13.343Z
Modified
2026-04-10T04:58:33.072910Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

References

Affected packages

Git / github.com/chef/chef-server

Affected ranges

Type
GIT
Repo
https://github.com/chef/chef-server
Events
Introduced
cd9bb59e4d0e54be910660de513493650c536b0c
Fixed
af0b0acd5c10b53c57678a549c892d8212edcb3f
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "15.7.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28864.json"