GHSA-f68m-q26r-64f6

Source

https://github.com/advisories/GHSA-f68m-q26r-64f6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f68m-q26r-64f6/GHSA-f68m-q26r-64f6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f68m-q26r-64f6

Aliases

CVE-2010-5142

Published

2022-05-17T05:26:20Z

Modified

2024-12-06T05:25:24.468184Z

Summary

Chef Improper Access Control vulnerability

Details

chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

Database specific

{
    "nvd_published_at": "2012-08-08T10:26:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-08T15:31:52Z"
}

References

Affected packages

RubyGems / chef

Package

Name: chef
Purl: pkg:gem/chef

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.0

Affected versions

0.*

0.7.10

0.7.12

0.7.14

0.7.16

0.8.2

0.8.4

0.8.6

0.8.8

0.8.10

0.8.14

0.8.16

0.9.0.a3

0.9.0.a4

0.9.0.a6

0.9.0.a8

0.9.0.a10

0.9.0.a90

0.9.0.a91

0.9.0.a92

0.9.0.b01

0.9.0.b02

0.9.0.rc01

0.9.0.rc02