Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2023-28864

Insecure Storage of Sensitive Information

Published: Jul 17, 2023 | Modified: Jul 27, 2023
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2023-28864
CWEhttps://cwe.mitre.org/data/definitions/922.html

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the chef-server-ctl reconfigure command.

Weakness

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Affected Software

Name Vendor Start Version End Version
Chef_infra_server Progress 12.0.0 (including) 15.7.0 (excluding)
Chef Ubuntu bionic *
Chef Ubuntu trusty *
Chef Ubuntu trusty/esm *
Chef Ubuntu xenial *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use