Main Vulnerability Database Vulnerabilities #VU31341

Improper Privilege Management in Octopus Deploy - CVE-2018-9039

Published: March 27, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31341

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-9039

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Octopus Deploy

Affected software:
Octopus Deploy

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

How to mitigate CVE-2018-9039

Install update from vendor's website.

Sources

https://github.com/OctopusDeploy/Issues/issues/4407
https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7

Improper Privilege Management in Octopus Deploy - CVE-2018-9039

Detailed vulnerability description

How to mitigate CVE-2018-9039

Sources

Please verify you're human