CVE-2023-40050

Automate Vulnerable to Malicious Content Uploaded Through Embedded Compliance Application

Description

Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

Remediation

Solution:

  • Solution (optional): Customers should adopt the latest releases of Automate available from the customer downloads portal.

Workaround:

  • Workaround (optional): Chef recommends all users to manually inspect and lint with a tool similar to test-kitchen all profiles and cookbooks prior to usage in production.

Category

9.9
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 9.89% Top 10%
Vendor Advisory progress.com
Affected: Progress Software Corporation Chef Automate
Published at:
Updated at:

References

Link Tags
https://docs.chef.io/release_notes_automate/ release notes
https://docs.chef.io/automate/profiles/ product release notes
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-40050?
CVE-2023-40050 has been scored as a critical severity vulnerability.
How to fix CVE-2023-40050?
To fix CVE-2023-40050: Solution (optional): Customers should adopt the latest releases of Automate available from the customer downloads portal.
Is CVE-2023-40050 being actively exploited in the wild?
It is possible that CVE-2023-40050 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~10% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-40050?
CVE-2023-40050 affects Progress Software Corporation Chef Automate.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.