CVE-2018-9039

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

Published: Mar 27, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-9039
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
octopus / octopus_deploy	2.0	2018.3.7

https://github.com/OctopusDeploy/Issues/issues/4407
https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7

Vulnerability Database

289,697

CVE-2018-9039