Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-10581

In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also belongs to multiple teams, where one of the Teams has the VariableEdit permission or VariableView permissions for the Environment.

Published

2018-05-01T13:29:00.297

Last Modified

2024-11-21T03:41:36.250

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	octopus	octopus_deploy	< 2018.4.7	Yes

References

https://github.com/OctopusDeploy/Issues/issues/4474 Exploit, Third Party Advisory ([email protected])
https://github.com/OctopusDeploy/Issues/issues/4474 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)