CVE-2018-9039 - OpenCVE

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Octopus	Octopus Deploy

Configuration 1 [-]

cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/OctopusDeploy/Issues/issues/4407	Exploit Third Party Advisory
https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7	Release Notes

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-27T03:00:00

Updated: 2018-03-27T03:57:01

Reserved: 2018-03-26T00:00:00

Link: CVE-2018-9039

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-03-27T03:29:00.543

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-9039

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-03-26T00:00:00", "descriptions": [{"lang": "en", "value": "In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-27T03:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OctopusDeploy/Issues/issues/4407"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-9039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OctopusDeploy/Issues/issues/4407", "refsource": "CONFIRM", "url": "https://github.com/OctopusDeploy/Issues/issues/4407"}, {"name": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7", "refsource": "CONFIRM", "url": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-9039", "datePublished": "2018-03-27T03:00:00", "dateReserved": "2018-03-26T00:00:00", "dateUpdated": "2018-03-27T03:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*", "matchCriteriaId": "42EA81AB-161E-4160-B11C-9D8BC96129FA", "versionEndExcluding": "2018.3.7", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments."}, {"lang": "es", "value": "En Octopus Deploy 2.0 y posteriores, anteriores a 2018.3.7, un usuario autenticado con permisos de edici\u00f3n de variables puede averiguar algunas variables para l\u00edmites mayores que aquellos para los que deber\u00eda tener permisos. En otras palabras, los usuarios pueden visualizar m\u00e1quinas m\u00e1s a all\u00e1 de los entornos dentro de los l\u00edmites del equipo."}], "id": "CVE-2018-9039", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-27T03:29:00.543", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/Issues/issues/4407"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}