Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2023-28864

HistoryJul 17, 2023 - 8:15 p.m.

CVE-2023-28864

2023-07-1720:15:13

Debian Security Bug Tracker

security-tracker.debian.org

opensearch credentials

indexed node data

sensitive information

world-readable

backup path

disclosure

admin

command

attacker

local

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

5.1%

JSON

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the “chef-server-ctl reconfigure” command.

OSVersionArchitecturePackageVersionFilename
Debian10allchef< 13.8.7-4chef_13.8.7-4_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	chef	< 13.8.7-4	chef_13.8.7-4_all.deb

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

5.1%

JSON

Related for DEBIANCVE:CVE-2023-28864