CVE-2018-9039

MEDIUM

Octopus Deploy 2.0-2018.3.6 - Authenticated Missing Authorization in Variable Scoping

Title source: llm
STIX 2.1

Description

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/OctopusDeploy/Issues/issues/4407

Scores

CVSS v3 6.5
EPSS 0.0104
EPSS Percentile 60.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-862
Status published
Products (1)
octopus/octopus_deploy 2.0 - 2018.3.7
Published Mar 27, 2018
Tracked Since Feb 18, 2026