Main Vulnerability Database SB2018011615

SB2018011615 - Improper Privilege Management in Octopus Deploy

Published: January 16, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018011615

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Privilege Management (CVE-ID: CVE-2018-5706)

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.

Remediation

Install update from vendor's website.

References

https://github.com/OctopusDeploy/Issues/issues/4167