Vulnerability Details : CVE-2011-5098
chef-server-api/app/controllers/clients.rb in Chef Server in Chef before 0.9.20, and 0.10.x before 0.10.6, does not require administrative privileges for creating admin clients, which allows remote authenticated users to bypass intended access restrictions by leveraging read permission for the validation key and executing a knife client create command with the --admin option.
Products affected by CVE-2011-5098
- cpe:2.3:a:opscode:chef:*:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.14:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.9.16:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.16:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.14:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.5.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-5098
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-5098
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2011-5098
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-5098
-
https://github.com/opscode/chef/commit/33f0e9c58bbf047e1b401a834f3abfe72d9a8947
CHEF-2649: Only allow admin clients to create admins (not validators) · chef/chef@33f0e9c · GitHubExploit;Patch
-
http://tickets.opscode.com/browse/CHEF-2649
Page not found · GitHub · GitHub
Jump to