PT-2018-9977 · Octopus Deploy · Octopus Deploy
Published
2018-05-01
·
Updated
2018-06-13
·
CVE-2018-10581
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions:
Octopus Deploy versions 3.4.x through 2018.4.6
Description:
The issue allows an authenticated user to view, update, or save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs when the authenticated user belongs to multiple teams, and one of the teams has the
VariableEdit or VariableView permissions for the Environment.Recommendations:
For Octopus Deploy versions 3.4.x through 2018.4.6, update to version 2018.4.7 or later to resolve the issue.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Octopus Deploy