| |
Vulnerability CVE-2011-5097
Published: 2012-08-08
| Description: |
chef-server-api/app/controllers/cookbooks.rb in Chef Server in Chef before 0.9.18, and 0.10.x before 0.10.2, does not require administrative privileges for the update and destroy methods, which allows remote authenticated users to (1) upload cookbooks via a knife cookbook upload command or (2) delete cookbooks via a knife cookbook delete command. |
CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:P)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
5.5/10 |
4.9/10 |
8/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Low |
Single time |
| Confidentiality impact |
Integrity impact |
Availability impact |
None |
Partial |
Partial |
References: |
https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26
http://tickets.opscode.com/browse/CHEF-2436
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
