Moderate severityNVD Advisory· Published Aug 8, 2012· Updated Apr 29, 2026
CVE-2010-5142
CVE-2010-5142
Description
chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chefRubyGems | < 0.9.0 | 0.9.0 |
Affected products
12cpe:2.3:a:opscode:chef:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:opscode:chef:*:*:*:*:*:*:*:*range: <=0.8.10
- cpe:2.3:a:opscode:chef:0.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:opscode:chef:0.8.8:*:*:*:*:*:*:*
Patches
1c3bb41f727fbCHEF-1289 API does not check for admin rights for user management
1 file changed · +1 −0
chef-server-api/app/controllers/users.rb+1 −0 modified@@ -22,6 +22,7 @@ class Users < Application provides :json before :authenticate_every + before :is_admin, :only => [ :create, :destroy, :update ] # GET to /users def index
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8nvdPatchWEB
- github.com/advisories/GHSA-f68m-q26r-64f6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-5142ghsaADVISORY
- tickets.opscode.com/browse/CHEF-1289nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/chef/CVE-2010-5142.ymlghsaWEB
News mentions
0No linked articles in our index yet.