CVE-2019-11632

HIGH

Octopus Deploy <2019.3.1, <2019.4.5 - Info Disclosure

Title source: llm
STIX 2.1

Description

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/OctopusDeploy/Issues/issues/5528
Third Party Advisory x_refsource_misc
https://github.com/OctopusDeploy/Issues/issues/5529

Scores

CVSS v3 8.1
EPSS 0.0117
EPSS Percentile 63.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-269
Status published
Products (2)
octopus/octopus_deploy 2019.1.0 - 2019.3.1
octopus/octopus_server 2019.4.0 - 2019.4.5
Published May 01, 2019
Tracked Since Feb 18, 2026