Tom Peters

**Name of the Vulnerable Software and Affected Versions** Octopus Deploy versions 2019.1.0 through 2019.3.1 Octopus Deploy versions 2019.4.0 through 2019.4.5 **Description** The issue allows an authenticated user with the `VariableViewUnscoped` or `VariableEditUnscoped` permission to view or edit unscoped variables from a different project. These permissions are used in custom User Roles and do not affect built-in User Roles. **Recommendations** For Octopus Deploy versions 2019.1.0 through 2019.3.1, update to a version outside of this range to resolve the issue. For Octopus Deploy versions 2019.4.0 through 2019.4.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the `VariableViewUnscoped` and `VariableEditUnscoped` permissions to prevent unauthorized access to unscoped variables.