Chef Automate version 4.11.0 and below were using a dependent package of Minio, which was susceptible to the following critical CVEs:
Considering the usage of Minio in distributed environments, there was a high probability of the API key landing in the hands of bad actors. This would have allowed data to be modified or appended and granted administrator access to unauthorized accounts.
A custom package based on an open-source version of Minio has been developed to ensure that users with lower privileges cannot access the API key to modify or append irrelevant data. The updated version of custom Minio package solves the following critical CVEs:
Chef Automate version 4.12.40 and above have this fix.
To protect unauthorised access of API key to potential bad actors and users with lower privileges, please update your Chef Automate application to the latest version.
The latest version of Chef Automate is 4.12.40.