CVE-2023-40050

Name of the Vulnerable Software and Affected Versions Chef Automate versions prior to and including 4.10.29

Description The issue allows remote code execution when uploading a profile through the API or user interface in Chef Automate using the InSpec check command with a maliciously crafted profile.

Recommendations For Chef Automate versions prior to and including 4.10.29, update to a version later than 4.10.29 to resolve the issue. As a temporary workaround, consider restricting the use of the InSpec check command until a patch is available. Avoid using maliciously crafted profiles in the affected API endpoint until the issue is resolved.