We just made available a security release of Chef Server 12.0.1 and
Enterprise Chef Server 11.2.6. This addresses a CSRF vulnerability that was
found in the doorkeeper gem, which is used by the oc-id service found in
Chef Server. Open Source Chef Server 11 is not affected by this, as it does
not ship with the oc-id service.
Full details are in the blog post here:
Chef Server Team Engineer