Description
A static credential embedded in Chef 360 prior to v1.7.0 permitted unauthenticated access to internal message queues. Queue messages contained tenant-specific identifiers. The credential has been rotated and replaced with per-tenant access in subsequent versions, eliminating this access method entirely.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
Low
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
Low
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
None
Availability (Subsequent System)
Low
E
Physical
Scope
None
AU
Y
RE
Low
Affected products
- Progress Chef / Chef3600 – 1.7.1