CVE-2011-5098 chef

Metadata

medium
6.5
chef
CVE-2011-5098
2017-06-18 07:03
CVE-2011-5098
2017-06-16 18:58
2017-04-01 19:11
2017-01-05 20:16

Description

chef-server-api/app/controllers/clients.rb in Chef Server in Chef before 0.9.20, and 0.10.x before 0.10.6, does not require administrative privileges for creating admin clients, which allows remote authenticated users to bypass intended access restrictions by leveraging read permission for the validation key and executing a knife client create command with the --admin option.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
buster chef 0.10.10-1
jessie chef 0.10.10-1
sid chef 0.10.10-1
stretch chef 0.10.10-1
wheezy chef 0.10.10-1