Chef360
Monthly
Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.
Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.