Chef Automate compliance service SQL Injection Vulnerability_CVE-2025-8868

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via

improperly neutralized inputs used in an SQL command using a well-known token.

Basic Information

ID CVE-2025-8868

Source ProgressSoftware

Published Sep 29, 2025 at 11:29

Affected Product

Vendor Progress Software

Product Chef Automate

Affected Versions Progress Software Chef Automate 0

CWE Classification

CWE-200 CWE-89

References

docs.chef.io /release_notes_automate/

{
    "lastseen": "",
    "description": "In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via \n\nimproperly neutralized inputs used in an SQL command using a well-known token.",
    "published": "2025-09-29T11:29:50.463Z",
    "modified": "2025-09-29T11:29:50.463Z",
    "type": "cve",
    "title": "Chef Automate compliance service SQL Injection Vulnerability",
    "source": "ProgressSoftware",
    "references": "https://docs.chef.io/release_notes_automate/#4.13.295",
    "id": "CVE-2025-8868",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Progress Software Chef Automate 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Chef Automate",
    "version": "0",
    "vendor": "Progress Software",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}