CVE-2025-8868— Chef Automate compliance service SQL Injection Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-8868
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Chef Automate compliance service SQL Injection Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Chef Automate 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Chef Software Chef Automate是Chef Software公司的一种自动化平台,用于自动化和管理基础设施、应用程序和合规性,以帮助组织实现持续交付、自动化操作和安全合规性。 Chef Automate 4.13.295之前版本存在信息泄露漏洞,该漏洞源于合规服务中SQL命令输入中和不当,可能导致未经授权访问受限功能。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Progress Software | Chef Automate | 0 ~ 4.13.295 | - |
II. Public POCs for CVE-2025-8868
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-8868.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-8868
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Progress Software
- CVE-2026-5174
Improper Access Control Vulnerability in Progress MOVEit Aut - CVE-2026-4670
Improper Authentication vulnerability in Progress MOVEit Aut - CVE-2026-6023
Deserialization of Untrusted Data Vulnerability in Telerik U - CVE-2026-6022
Uncontrolled Resource Consumption Vulnerability in Telerik U - CVE-2026-4048
OS Command Injection Remote Code Execution Vulnerability in
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2025-8868
No comments yet