CVE-2023-28864

Source
https://cve.org/CVERecord?id=CVE-2023-28864
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28864.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28864
Downstream
Published
2023-07-17T00:00:00Z
Modified
2026-07-15T01:49:05.656167053Z
Summary
[none]
Details

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28864.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/chef/chef-server

Affected ranges

Type
GIT
Repo
https://github.com/chef/chef-server
Events
Database specific
{
    "cpe": "cpe:2.3:a:progress:chef_infra_server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.7"
        },
        {
            "introduced": "12.0.0"
        },
        {
            "fixed": "15.7.0"
        }
    ],
    "source": [
        "DESCRIPTION",
        "CPE_RANGE"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28864.json"