CVE-2010-5142 - Vulnerability Details - OpenCVE

chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00391.

Key SSVC decision points have not yet been added.

Vendors	Products
Opscode	Chef

Configuration 1 [-]

OR	cpe:2.3:a:opscode:chef::::::::
	cpe:2.3:a:opscode:chef:0.7.2:::::::*
	cpe:2.3:a:opscode:chef:0.7.4:::::::*
	cpe:2.3:a:opscode:chef:0.7.6:::::::*
	cpe:2.3:a:opscode:chef:0.7.8:::::::*
	cpe:2.3:a:opscode:chef:0.7.10:::::::*
	cpe:2.3:a:opscode:chef:0.7.12:::::::*
	cpe:2.3:a:opscode:chef:0.7.14:::::::*
	cpe:2.3:a:opscode:chef:0.8.2:::::::*
	cpe:2.3:a:opscode:chef:0.8.4:::::::*
	cpe:2.3:a:opscode:chef:0.8.6:::::::*
	cpe:2.3:a:opscode:chef:0.8.8:::::::*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://tickets.opscode.com/browse/CHEF-1289
https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-08-08T10:00:00Z

Updated: 2024-09-16T20:41:52.707Z

Reserved: 2012-08-08T00:00:00Z

Link: CVE-2010-5142

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-08-08T10:26:17.503

Modified: 2025-04-11T00:51:21.963

Link: CVE-2010-5142

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-08-08T10:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://tickets.opscode.com/browse/CHEF-1289"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-5142", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8", "refsource": "CONFIRM", "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"name": "http://tickets.opscode.com/browse/CHEF-1289", "refsource": "CONFIRM", "url": "http://tickets.opscode.com/browse/CHEF-1289"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:09:39.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://tickets.opscode.com/browse/CHEF-1289"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-5142", "datePublished": "2012-08-08T10:00:00Z", "dateReserved": "2012-08-08T00:00:00Z", "dateUpdated": "2024-09-16T20:41:52.707Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opscode:chef:*:*:*:*:*:*:*:*", "matchCriteriaId": "56BED2E7-173C-4990-AD1E-061B006C0083", "versionEndIncluding": "0.8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "4303E45B-3CC7-4F86-9AA3-9DE9E340DDB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "2DE318AD-5737-453F-90B9-449A3593887E", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "D0FB009E-708B-41BE-98E3-0548204A594A", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.8:*:*:*:*:*:*:*", "matchCriteriaId": "C369798E-2499-4DD5-8C13-F7A3D0BCAED9", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.10:*:*:*:*:*:*:*", "matchCriteriaId": "E247C8C9-7404-4920-9CA8-91316483CF01", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.12:*:*:*:*:*:*:*", "matchCriteriaId": "0189B6A3-9D58-40D7-BB42-101A600B5014", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.7.14:*:*:*:*:*:*:*", "matchCriteriaId": "97B55226-BC34-4060-A37D-8317B8BFB43B", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "E624C53F-1755-4E88-B575-1AB92781A06C", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "DAA73864-4852-47D9-9EB9-A2AD654D0BAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.6:*:*:*:*:*:*:*", "matchCriteriaId": "112F8AEB-9DD0-4A68-B69C-B677BE373DAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:opscode:chef:0.8.8:*:*:*:*:*:*:*", "matchCriteriaId": "9C6B61EE-2F0D-49DC-ADFD-D0A25A21B8B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI."}, {"lang": "es", "value": "chef-server-api/app/controllers/users.rb en la API en Chef anterior a v0.9.0 no requieren privilegios administrativos para crear, destruir, y m\u00e9todos de actualizaci\u00f3n, que permite a usuarios remotos autenticados administrar cuentas de usuario a trav\u00e9s de solicitudes a los usuarios URI."}], "id": "CVE-2010-5142", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-08-08T10:26:17.503", "references": [{"source": "cve@mitre.org", "url": "http://tickets.opscode.com/browse/CHEF-1289"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://tickets.opscode.com/browse/CHEF-1289"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}