Vulnerability identifier: #VU37014
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-269
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Octopus Deploy
Server applications /
Application servers
Vendor: Octopus Deploy
Description
The vulnerability allows a remote authenticated user to manipulate data.
In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Octopus Deploy: 3.0
External links
http://github.com/OctopusDeploy/Issues/issues/4674
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.