In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
References
Link | Resource |
---|---|
https://github.com/OctopusDeploy/Issues/issues/5528 | Exploit Third Party Advisory |
https://github.com/OctopusDeploy/Issues/issues/5529 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-05-01T13:07:14
Updated: 2019-05-01T13:07:14
Reserved: 2019-05-01T00:00:00
Link: CVE-2019-11632
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-05-01T14:29:00.483
Modified: 2022-07-27T16:44:32.450
Link: CVE-2019-11632
JSON object: View
Redhat Information
No data.
CWE