CVE-2010-5142
Published: 8 August 2012
chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.
Priority
Status
Package | Release | Status |
---|---|---|
chef Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
hardy |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
quantal |
Not vulnerable
(code not present)
|
|
raring |
Not vulnerable
(code not present)
|
|
saucy |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
Patches: upstream: https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8 |
||
chef-server-api Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Not vulnerable
(10.12.0-1)
|
|
raring |
Not vulnerable
(10.12.0-1)
|
|
saucy |
Not vulnerable
(10.12.0-1)
|
|
upstream |
Needs triage
|