Main Vulnerability Database Vulnerabilities #VU31362

Improper Privilege Management in Octopus Deploy - CVE-2018-5706

Published: January 16, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31362

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-5706

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Octopus Deploy

Affected software:
Octopus Deploy

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.

How to mitigate CVE-2018-5706

Install update from vendor's website.

Sources

https://github.com/OctopusDeploy/Issues/issues/4167

Improper Privilege Management in Octopus Deploy - CVE-2018-5706

Detailed vulnerability description

How to mitigate CVE-2018-5706

Sources

Please verify you're human