Lucene search

MitreCVE-2023-28864

HistoryJul 17, 2023 - 8:15 p.m.

CVE-2023-28864

2023-07-1720:15:13

CWE-922

mitre

web.nvd.nist.gov

chef infra server

progress

cve-2023-28864

vulnerability

local attack

sensitive information disclosure

opensearch

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

5.1%

JSON

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the “chef-server-ctl reconfigure” command.

Affected configurations

Nvd

Node

progresschef_infra_serverRange12.0.0–15.7.0

VendorProductVersionCPE
progresschef_infra_server*cpe:2.3:a:progress:chef_infra_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
progress	chef_infra_server	*	cpe:2.3:a:progress:chef_infra_server::::::::

References

blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation

docs.chef.io/release_notes_server/

github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2023-28864