| |
Vulnerability CVE-2010-5142
Published: 2012-08-08
| Description: |
chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI. |
CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
6.5/10 |
6.4/10 |
8/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Low |
Single time |
| Confidentiality impact |
Integrity impact |
Availability impact |
Partial |
Partial |
Partial |
References: |
https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8
http://tickets.opscode.com/browse/CHEF-1289
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
