Description
An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.
References (1)
Core 1
Core References
Issue Tracking, Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/OctopusDeploy/Issues/issues/4167
Scores
CVSS v3
8.8
EPSS
0.0102
EPSS Percentile
59.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
octopus/octopus_deploy
< 4.1.9
Published
Jan 16, 2018
Tracked Since
Feb 18, 2026