{"id":"CVE-2025-8868","details":"In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via \n\nimproperly neutralized inputs used in an SQL command using a well-known token.","modified":"2026-04-02T13:06:27.435742Z","published":"2025-09-29T12:15:49.230Z","references":[{"type":"FIX","url":"https://docs.chef.io/release_notes_automate/#4.13.295"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/chef/automate","events":[{"introduced":"0"},{"last_affected":"298ef771035feb112a6fda6013deda7e75f81148"}],"database_specific":{"versions":[{"introduced":"20180319150121"},{"last_affected":"20220329091442"}]}}],"versions":["20190415203801","20190422213145","20190501153509","20190506101326","20190513175357","20190605190944","20190610211245","20190617144820","20190628200755","20190711110747","20190717161024","20190722200451","20190729085402","20190806202030","20190813170406","20190820163418","20190827222442","20190904132002","20191001203421","20191007115919","20191015190829","20191024135531","20191030224959","20191104205453","20191129172405","20191211163405","20200115001116","20200123225613","20200127203438","20200131232134","20200220011437","20200303183409","20200310163217","20200316122114","20200325163209","20200408145843","20200416222158","20200420162758","20200429153636","20200506172513","20200513205422","20200520145933","20200529133631","20200603114954","20200610173731","20200617215626","20200701215317","20200707173044","20200728181447","20200807155122","20200811175306","20200816214709","20200831163517","20200908235050","20200922182722","20201005173827","20201012185603","20201020140427","20201106153948","20201127104018","20201230192246","20210112001354","20210116175706","20210125155346","20210129162733","20210219171521","20210309093358","20210324172345","20210406040048","20210420090302","20210504084406","20210518074441","20210526024943","20210601124849","20210616033549","20210629161835","20210713164523","20210720135142","20210727104144","20210813114337","20210824134201","20210907035717","20210923171324","20211007102429","20211020062000","20211102170523","20211125063136","20211201164433","20211220104140","20220103112354","20220113154113","20220121191356","20220209045542","20220223121207","20220310123121","20220322122400","20220329091442","hab-pkg-automate-backend-ctl","hab-pkg-automate-backend-curator","hab-pkg-automate-backend-deployment","hab-pkg-automate-backend-elasticsearch","hab-pkg-automate-backend-elasticsidecar","hab-pkg-automate-backend-haproxy","hab-pkg-automate-backend-journalbeat","hab-pkg-automate-backend-kibana","hab-pkg-automate-backend-metricbeat","hab-pkg-automate-backend-pgleaderchk","hab-pkg-automate-backend-postgresql","hab-pkg-automate-chef-io","hab-pkg-automate-cluster-ctl","hab-pkg-automate-ha-curator","hab-pkg-automate-ha-elasticsearch","hab-pkg-automate-ha-journalbeat","hab-pkg-automate-ha-kibana","hab-pkg-automate-ha-metricbeat","hab-pkg-automate-openssl11","hab-pkg-automate-workflow-web","hab-pkg-data-lifecycle-service"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8868.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"4.13.295"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}