chef-server-api/app/controllers/clients.rb in Chef Server in Chef before 0.9.20, and 0.10.x before 0.10.6, does not require administrative privileges for creating admin clients, which allows remote authenticated users to bypass intended access restrictions by leveraging read permission for the validation key and executing a knife client create command with the --admin option.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2012-08-08T10:00:00Z
Updated: 2024-09-17T03:42:41.411Z
Reserved: 2012-08-08T00:00:00Z
Link: CVE-2011-5098
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2012-08-08T10:26:18.207
Modified: 2012-08-10T04:00:00.000
Link: CVE-2011-5098
Redhat
No data.