CVE-2011-5097
Published: 8 August 2012
chef-server-api/app/controllers/cookbooks.rb in Chef Server in Chef before 0.9.18, and 0.10.x before 0.10.2, does not require administrative privileges for the update and destroy methods, which allows remote authenticated users to (1) upload cookbooks via a knife cookbook upload command or (2) delete cookbooks via a knife cookbook delete command.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
chef Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Ignored
(end of life)
|
|
| natty |
Ignored
(end of life)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Does not exist
|
|
| quantal |
Not vulnerable
(code not present)
|
|
| raring |
Not vulnerable
(code not present)
|
|
| saucy |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26 |
||
|
chef-server-api Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Not vulnerable
(10.12.0-1)
|
|
| raring |
Not vulnerable
(10.12.0-1)
|
|
| saucy |
Not vulnerable
(10.12.0-1)
|
|
| upstream |
Needs triage
|
|