CVE-2010-5142: Chef Improper Access Control vulnerability

May 17, 2022 (updated February 8, 2024)

chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

References

tickets.opscode.com/browse/CHEF-1289
github.com/advisories/GHSA-f68m-q26r-64f6
github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8
nvd.nist.gov/vuln/detail/CVE-2010-5142

Code Behaviors & Features

Detect and mitigate CVE-2010-5142 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →