CVE-2015-8559
high
CVSS v3
7.5
CVSS v2
5.0
VIR risk
7.5
Description
The knife bootstrap command in chef Infra client before version 15.4.45 leaks the validator.pem private RSA key to /var/log/messages.
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://github.com/chef/chef/issues/3871
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| chef | chef | {"endExcluding":"15.4.45"} | 15.4.45 |
References
- http://www.openwall.com/lists/oss-security/2015/12/14/14
- https://discourse.chef.io/t/chef-infra-client-15-4-45-released/16081
- https://github.com/chef/chef/issues/3871
- https://github.com/chef/chef/pull/8885
- http://www.openwall.com/lists/oss-security/2015/12/14/14
- https://discourse.chef.io/t/chef-infra-client-15-4-45-released/16081
- https://github.com/chef/chef/issues/3871
- https://github.com/chef/chef/pull/8885
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.