PT-2019-12438 · Octopus · Octopus Deploy
Tom Peters
·
Publicado
2019-05-01
·
Atualizado
2022-07-27
·
CVE-2019-11632
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Octopus Deploy versions 2019.1.0 through 2019.3.1
Octopus Deploy versions 2019.4.0 through 2019.4.5
Description
The issue allows an authenticated user with the
VariableViewUnscoped or VariableEditUnscoped permission to view or edit unscoped variables from a different project. These permissions are used in custom User Roles and do not affect built-in User Roles.Recommendations
For Octopus Deploy versions 2019.1.0 through 2019.3.1, update to a version outside of this range to resolve the issue.
For Octopus Deploy versions 2019.4.0 through 2019.4.5, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting the
VariableViewUnscoped and VariableEditUnscoped permissions to prevent unauthorized access to unscoped variables.Exploit
Correção
Improper Privilege Management
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Octopus Deploy