Plateforme
linux
Composant
automate
Corrigé dans
4.13.295
CVE-2025-8868 is a critical SQL Injection vulnerability affecting the Chef Automate compliance service. This flaw allows an authenticated attacker to bypass security controls and potentially gain unauthorized access to sensitive data and functionality within Chef Automate. The vulnerability impacts versions prior to 4.13.295 running on Linux x86 platforms. A patch is available in version 4.13.295.
The SQL Injection vulnerability in Chef Automate allows an authenticated attacker to inject malicious SQL code into queries executed by the compliance service. Successful exploitation could lead to unauthorized data access, modification, or deletion. An attacker could potentially escalate privileges, gain control over Chef Automate resources, and compromise the entire infrastructure. The impact is particularly severe given Chef Automate's role in managing and enforcing configuration compliance across an organization's infrastructure. This could lead to widespread configuration drift and security vulnerabilities if exploited.
CVE-2025-8868 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the critical CVSS score suggests a high probability of exploitation if a suitable exploit is developed. The vulnerability was publicly disclosed on 2025-09-29.
Organizations heavily reliant on Chef Automate for configuration management and compliance enforcement are at significant risk. Specifically, deployments using older versions of Chef Automate (0–4.13.294) running on Linux x86 platforms are directly vulnerable. Shared hosting environments where Chef Automate is deployed may also be at increased risk due to potential cross-tenant vulnerabilities.
• linux / server:
journalctl -u chef-automate -g "compliance service"• linux / server:
ps aux | grep "compliance service" | grep -i sql• generic web: Use a WAF to monitor for SQL injection attempts targeting Chef Automate endpoints.
disclosure
Statut de l'Exploit
EPSS
13.85% (percentile 94%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-8868 is to immediately upgrade Chef Automate to version 4.13.295 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization within the compliance service to prevent SQL injection attacks. While not a complete solution, employing a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Review and restrict access to the Chef Automate compliance service to limit the potential attack surface.
Actualice Chef Automate a la versión 4.13.295 o posterior. Esta actualización corrige la vulnerabilidad de inyección SQL en el servicio de cumplimiento. Consulte las notas de la versión en https://docs.chef.io/release_notes_automate/#4.13.295 para obtener más detalles.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-8868 is a critical SQL Injection vulnerability in Chef Automate compliance service versions 0–4.13.294, allowing authenticated attackers to gain unauthorized access.
Yes, if you are running Chef Automate versions 0–4.13.294 on a Linux x86 platform, you are vulnerable to this SQL Injection flaw.
Upgrade Chef Automate to version 4.13.295 or later to remediate the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the critical severity suggests a high probability of exploitation if a suitable exploit is developed.
Refer to the official Chef Automate security advisory for CVE-2025-8868 on the Chef website.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.