Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.