Plataforma
linux
Componente
automate
Corrigido em
4.13.295
CVE-2025-8868 is a critical SQL Injection vulnerability affecting the Chef Automate compliance service. This flaw allows an authenticated attacker to bypass security controls and potentially gain unauthorized access to sensitive data and functionality within Chef Automate. The vulnerability impacts versions prior to 4.13.295 running on Linux x86 platforms. A patch is available in version 4.13.295.
The SQL Injection vulnerability in Chef Automate allows an authenticated attacker to inject malicious SQL code into queries executed by the compliance service. Successful exploitation could lead to unauthorized data access, modification, or deletion. An attacker could potentially escalate privileges, gain control over Chef Automate resources, and compromise the entire infrastructure. The impact is particularly severe given Chef Automate's role in managing and enforcing configuration compliance across an organization's infrastructure. This could lead to widespread configuration drift and security vulnerabilities if exploited.
CVE-2025-8868 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the critical CVSS score suggests a high probability of exploitation if a suitable exploit is developed. The vulnerability was publicly disclosed on 2025-09-29.
Organizations heavily reliant on Chef Automate for configuration management and compliance enforcement are at significant risk. Specifically, deployments using older versions of Chef Automate (0–4.13.294) running on Linux x86 platforms are directly vulnerable. Shared hosting environments where Chef Automate is deployed may also be at increased risk due to potential cross-tenant vulnerabilities.
• linux / server:
journalctl -u chef-automate -g "compliance service"• linux / server:
ps aux | grep "compliance service" | grep -i sql• generic web: Use a WAF to monitor for SQL injection attempts targeting Chef Automate endpoints.
disclosure
Status do Exploit
EPSS
13.85% (percentil 94%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-8868 is to immediately upgrade Chef Automate to version 4.13.295 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization within the compliance service to prevent SQL injection attacks. While not a complete solution, employing a Web Application Firewall (WAF) with SQL injection protection rules can provide an additional layer of defense. Review and restrict access to the Chef Automate compliance service to limit the potential attack surface.
Actualice Chef Automate a la versión 4.13.295 o posterior. Esta actualización corrige la vulnerabilidad de inyección SQL en el servicio de cumplimiento. Consulte las notas de la versión en https://docs.chef.io/release_notes_automate/#4.13.295 para obtener más detalles.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-8868 is a critical SQL Injection vulnerability in Chef Automate compliance service versions 0–4.13.294, allowing authenticated attackers to gain unauthorized access.
Yes, if you are running Chef Automate versions 0–4.13.294 on a Linux x86 platform, you are vulnerable to this SQL Injection flaw.
Upgrade Chef Automate to version 4.13.295 or later to remediate the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the critical severity suggests a high probability of exploitation if a suitable exploit is developed.
Refer to the official Chef Automate security advisory for CVE-2025-8868 on the Chef website.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.