PT-2019-12438 · Octopus · Octopus Deploy
Tom Peters
·
Published
2019-05-01
·
Updated
2022-07-27
·
CVE-2019-11632
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Octopus Deploy versions 2019.1.0 through 2019.3.1
Octopus Deploy versions 2019.4.0 through 2019.4.5
Description
The issue allows an authenticated user with the
VariableViewUnscoped or VariableEditUnscoped permission to view or edit unscoped variables from a different project. These permissions are used in custom User Roles and do not affect built-in User Roles.Recommendations
For Octopus Deploy versions 2019.1.0 through 2019.3.1, update to a version outside of this range to resolve the issue.
For Octopus Deploy versions 2019.4.0 through 2019.4.5, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting the
VariableViewUnscoped and VariableEditUnscoped permissions to prevent unauthorized access to unscoped variables.Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Octopus Deploy