Improper Privilege Management in Octopus Deploy - CVE-2018-10550
Published: April 30, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31316
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-10550
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Octopus Deploy
Affected software:
Octopus Deploy
Octopus Deploy
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
How to mitigate CVE-2018-10550
Install update from vendor's website.