← Volver a CVEs

CVE-2023-28864

MEDIUM

5.5

Descripcion

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

Detalles CVE

Puntuacion CVSS v3.15.5

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vector de ataqueLOCAL

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado7/17/2023

Ultima modificacion11/21/2024

Fuentenvd

Avistamientos honeypot0

Productos afectados

progress:chef_infra_server

Debilidades (CWE)

CWE-922

Referencias

https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation(cve@mitre.org)

https://docs.chef.io/release_notes_server/(cve@mitre.org)

https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42(cve@mitre.org)

https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation(af854a3a-2127-422b-91ae-364da2661108)

https://docs.chef.io/release_notes_server/(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.