CVE-2018-12089 - OpenCVE

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Octopus	Octopus Server

Configuration 1 [-]

cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/OctopusDeploy/Issues/issues/4628	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:22:07

Updated: 2022-10-03T16:22:07

Reserved: 2022-10-03T00:00:00

Link: CVE-2018-12089

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-06-11T10:29:00.360

Modified: 2022-07-27T15:40:53.433

Link: CVE-2018-12089

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DD668AE-4B39-44E7-ACE3-52B4809B42AD", "versionEndIncluding": "2018.5.7", "versionStartIncluding": "2018.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0."}, {"lang": "es", "value": "Desde la versi\u00f3n 2018.5.1 hasta la 2018.5.7 de Octopus Deploy, un usuario con Task View puede visualizar una contrase\u00f1a para un Service Fabric Cluster, cuando el objetivo del Service Fabric Cluster est\u00e1 configurado en el modo de seguridad Azure Active Directory y se ejecuta una implementaci\u00f3n con el valor de OctopusPrintVariables en \"True\". Esto se ha solucionado en la versi\u00f3n 2018.6.0."}], "id": "CVE-2018-12089", "lastModified": "2022-07-27T15:40:53.433", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-11T10:29:00.360", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/OctopusDeploy/Issues/issues/4628"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}