PT-2025-39824 · Progress · Chef Automate
Published
2025-09-29
·
Updated
2025-10-07
·
CVE-2025-8868
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Chef Automate versions prior to 4.13.295
Description
An authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service. This is due to improperly neutralized inputs used in an SQL command utilizing a well-known token. The issue allows bypassing of restrictions within the compliance service.
Recommendations
Update Chef Automate to version 4.13.295 or later.
Fix
Information Disclosure
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Chef Automate