Candidate: CVE-2011-5098
PublicDate: 2012-08-08 10:26:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5098
Description:
 chef-server-api/app/controllers/clients.rb in Chef Server in Chef before
 0.9.20, and 0.10.x before 0.10.6, does not require administrative
 privileges for creating admin clients, which allows remote authenticated
 users to bypass intended access restrictions by leveraging read permission
 for the validation key and executing a knife client create command with the
 --admin option.
Ubuntu-Description:
Notes:
Bugs:
 http://tickets.opscode.com/browse/CHEF-2649
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_chef:
 upstream: https://github.com/opscode/chef/commit/33f0e9c58bbf047e1b401a834f3abfe72d9a8947
upstream_chef: needs-triage
hardy_chef: DNE
lucid_chef: ignored (reached end-of-life)
natty_chef: ignored (reached end-of-life)
oneiric_chef: ignored (reached end-of-life)
precise_chef: DNE
quantal_chef: not-affected (10.12.0-2)
raring_chef: not-affected (10.12.0-2)
saucy_chef: not-affected (10.12.0-2)
devel_chef: not-affected (10.12.0-2)

Patches_chef-server-api:
upstream_chef-server-api: needs-triage
hardy_chef-server-api: DNE
lucid_chef-server-api: DNE
natty_chef-server-api: DNE
oneiric_chef-server-api: DNE
precise_chef-server-api: DNE
quantal_chef-server-api: not-affected (code not present)
raring_chef-server-api: not-affected (code not present)
saucy_chef-server-api: not-affected (code not present)
devel_chef-server-api: not-affected (code not present)