In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.
References
Link | Resource |
---|---|
https://github.com/OctopusDeploy/Issues/issues/4407 | Exploit Third Party Advisory |
https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7 | Release Notes |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-03-27T03:00:00
Updated: 2018-03-27T03:57:01
Reserved: 2018-03-26T00:00:00
Link: CVE-2018-9039
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-03-27T03:29:00.543
Modified: 2020-08-24T17:37:01.140
Link: CVE-2018-9039
JSON object: View
Redhat Information
No data.
CWE