CVE-2018-9039 Information

Description

In Octopus Deploy 2.0 and later before 2018.3.7 an authenticated user with variable edit permissions can scope some variables to targets greater than their permissions should allow. In other words they can see machines beyond their team’s scoped environments.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/OctopusDeploy/Issues/issues/4407 https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5