Skip to main content

Octopus Deploy CVE-2019-11632

HIGH
Improper Privilege Management (CWE-269)
2019-05-01 cve@mitre.org
8.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
May 01, 2019 - 14:29 nvd
HIGH 8.1

DescriptionNVD

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)

AnalysisAI

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) Affected products include: Octopus Octopus Deploy, Octopus Octopus Server. Version information: through 2019.3.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2018-9039 MEDIUM POC
6.5 Mar 27

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some v

CVE-2017-16810 MEDIUM POC
5.4 Nov 14

Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allow

CVE-2018-10581 MEDIUM POC
5.4 May 01

In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Te

CVE-2017-17665 HIGH
8.8 Dec 13

In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. R

CVE-2020-10678 HIGH
8.8 Mar 19

In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an

CVE-2018-5706 HIGH
8.8 Jan 16

An issue was discovered in Octopus Deploy before 4.1.9. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2018-4862 HIGH
8.8 Jan 03

In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could refe

CVE-2021-26556 HIGH
7.8 Oct 07

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an

CVE-2017-15609 HIGH
7.5 Oct 19

Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in cert

CVE-2022-2013 HIGH
7.5 Jun 13

In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental f

CVE-2020-27155 HIGH
7.5 Oct 22

An issue was discovered in Octopus Deploy through 2020.4.4. Rated high severity (CVSS 7.5), this vulnerability is remote

CVE-2020-25825 HIGH
7.5 Oct 12

In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs. Rate

Share

CVE-2019-11632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy